svn commit: r254402 - in stable/9: contrib/bind9 contrib/bind9/bin contrib/bind9/bin/check contrib/bind9/bin/confgen contrib/bind9/bin/dig contrib/bind9/bin/dig/include/dig contrib/bind9/bin/dnssec...

Fri Aug 16 07:11:16 UTC 2013

Author: erwin
Date: Fri Aug 16 07:11:13 2013
New Revision: 254402
URL: http://svnweb.freebsd.org/changeset/base/254402

Log:
  MFC 253983, 253984:
  
    Update Bind to 9.8.5-P2
  
    New Features
  
       Adds a new configuration option, "check-spf"; valid values are
       "warn" (default) and "ignore".  When set to "warn", checks SPF
       and TXT records in spf format, warning if either resource record
       type occurs without a corresponding record of the other resource
       record type.  [RT #33355]
  
       Adds support for Uniform Resource Identifier (URI) resource
       records. [RT #23386]
  
       Adds support for the EUI48 and EUI64 RR types. [RT #33082]
  
       Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
       and L64). [RT #31836]
  
    Feature Changes
  
       Changes timing of when slave zones send NOTIFY messages after
       loading a new copy of the zone.  They now send the NOTIFY before
       writing the zone data to disk.  This will result in quicker
       propagation of updates in multi-level server structures. [RT #27242]
       "named -V" can now report a source ID string.  (This is will be
       of most interest to developers and troubleshooters).  The source
  
       ID for ISC's production versions of BIND is defined in the "srcid"
       file in the build tree and is normally set to the most recent
       git hash. [RT #31494]
  
       Response Policy Zone performance enhancements.  New "response-policy"
       option "min-ns-dots".  "nsip" and "nsdname" now enabled by default
       with RPZ. [RT #32251]
  
  Approved by:  delphij (mentor)
  Sponsored by: DK Hostmaster A/S

Added:
  stable/9/contrib/bind9/lib/dns/rdata/generic/eui48_108.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/eui48_108.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/eui48_108.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/eui48_108.h
  stable/9/contrib/bind9/lib/dns/rdata/generic/eui64_109.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/eui64_109.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/eui64_109.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/eui64_109.h
  stable/9/contrib/bind9/lib/dns/rdata/generic/l32_105.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/l32_105.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/l32_105.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/l32_105.h
  stable/9/contrib/bind9/lib/dns/rdata/generic/l64_106.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/l64_106.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/l64_106.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/l64_106.h
  stable/9/contrib/bind9/lib/dns/rdata/generic/lp_107.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/lp_107.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/lp_107.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/lp_107.h
  stable/9/contrib/bind9/lib/dns/rdata/generic/nid_104.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/nid_104.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/nid_104.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/nid_104.h
  stable/9/contrib/bind9/lib/dns/rdata/generic/uri_256.c
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/uri_256.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/uri_256.h
     - copied unchanged from r253983, head/contrib/bind9/lib/dns/rdata/generic/uri_256.h
  stable/9/contrib/bind9/lib/isc/include/isc/regex.h
     - copied unchanged from r253983, head/contrib/bind9/lib/isc/include/isc/regex.h
  stable/9/contrib/bind9/lib/isc/regex.c
     - copied unchanged from r253983, head/contrib/bind9/lib/isc/regex.c
Replaced:
  stable/9/contrib/bind9/libtool.m4/
     - copied from r253983, head/contrib/bind9/libtool.m4/
Deleted:
  stable/9/contrib/bind9/libtool.m4/lt~obsolete.m4
Modified:
  stable/9/contrib/bind9/CHANGES
  stable/9/contrib/bind9/COPYRIGHT
  stable/9/contrib/bind9/FAQ
  stable/9/contrib/bind9/FAQ.xml
  stable/9/contrib/bind9/Makefile.in
  stable/9/contrib/bind9/README
  stable/9/contrib/bind9/aclocal.m4
  stable/9/contrib/bind9/bin/Makefile.in
  stable/9/contrib/bind9/bin/check/check-tool.c
  stable/9/contrib/bind9/bin/check/named-checkconf.c
  stable/9/contrib/bind9/bin/check/named-checkzone.8
  stable/9/contrib/bind9/bin/check/named-checkzone.c
  stable/9/contrib/bind9/bin/check/named-checkzone.docbook
  stable/9/contrib/bind9/bin/check/named-checkzone.html
  stable/9/contrib/bind9/bin/confgen/keygen.c
  stable/9/contrib/bind9/bin/confgen/rndc-confgen.c
  stable/9/contrib/bind9/bin/dig/dig.1
  stable/9/contrib/bind9/bin/dig/dig.c
  stable/9/contrib/bind9/bin/dig/dig.docbook
  stable/9/contrib/bind9/bin/dig/dig.html
  stable/9/contrib/bind9/bin/dig/dighost.c
  stable/9/contrib/bind9/bin/dig/host.c
  stable/9/contrib/bind9/bin/dig/include/dig/dig.h
  stable/9/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-revoke.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-settime.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-signzone.c
  stable/9/contrib/bind9/bin/named/Makefile.in
  stable/9/contrib/bind9/bin/named/client.c
  stable/9/contrib/bind9/bin/named/config.c
  stable/9/contrib/bind9/bin/named/control.c
  stable/9/contrib/bind9/bin/named/controlconf.c
  stable/9/contrib/bind9/bin/named/include/named/client.h
  stable/9/contrib/bind9/bin/named/include/named/globals.h
  stable/9/contrib/bind9/bin/named/include/named/server.h
  stable/9/contrib/bind9/bin/named/interfacemgr.c
  stable/9/contrib/bind9/bin/named/log.c
  stable/9/contrib/bind9/bin/named/logconf.c
  stable/9/contrib/bind9/bin/named/lwresd.c
  stable/9/contrib/bind9/bin/named/main.c
  stable/9/contrib/bind9/bin/named/named.conf.5
  stable/9/contrib/bind9/bin/named/named.conf.docbook
  stable/9/contrib/bind9/bin/named/named.conf.html
  stable/9/contrib/bind9/bin/named/query.c
  stable/9/contrib/bind9/bin/named/server.c
  stable/9/contrib/bind9/bin/named/statschannel.c
  stable/9/contrib/bind9/bin/named/tkeyconf.c
  stable/9/contrib/bind9/bin/named/tsigconf.c
  stable/9/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c
  stable/9/contrib/bind9/bin/named/update.c
  stable/9/contrib/bind9/bin/named/xfrout.c
  stable/9/contrib/bind9/bin/named/zoneconf.c
  stable/9/contrib/bind9/bin/nsupdate/nsupdate.c
  stable/9/contrib/bind9/bin/rndc/rndc.c
  stable/9/contrib/bind9/bin/tools/genrandom.c
  stable/9/contrib/bind9/bin/tools/isc-hmac-fixup.8
  stable/9/contrib/bind9/bin/tools/isc-hmac-fixup.docbook
  stable/9/contrib/bind9/bin/tools/isc-hmac-fixup.html
  stable/9/contrib/bind9/config.h.in
  stable/9/contrib/bind9/config.threads.in
  stable/9/contrib/bind9/configure.in
  stable/9/contrib/bind9/doc/arm/Bv9ARM-book.xml
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
  stable/9/contrib/bind9/doc/arm/man.arpaname.html
  stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
  stable/9/contrib/bind9/doc/arm/man.dig.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html
  stable/9/contrib/bind9/doc/arm/man.genrandom.html
  stable/9/contrib/bind9/doc/arm/man.host.html
  stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
  stable/9/contrib/bind9/doc/arm/man.named-checkconf.html
  stable/9/contrib/bind9/doc/arm/man.named-checkzone.html
  stable/9/contrib/bind9/doc/arm/man.named-journalprint.html
  stable/9/contrib/bind9/doc/arm/man.named.html
  stable/9/contrib/bind9/doc/arm/man.nsec3hash.html
  stable/9/contrib/bind9/doc/arm/man.nsupdate.html
  stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html
  stable/9/contrib/bind9/doc/arm/man.rndc.conf.html
  stable/9/contrib/bind9/doc/arm/man.rndc.html
  stable/9/contrib/bind9/doc/arm/pkcs11.xml
  stable/9/contrib/bind9/doc/misc/options
  stable/9/contrib/bind9/isc-config.sh.in
  stable/9/contrib/bind9/lib/Makefile.in
  stable/9/contrib/bind9/lib/bind9/Makefile.in
  stable/9/contrib/bind9/lib/bind9/api
  stable/9/contrib/bind9/lib/bind9/check.c
  stable/9/contrib/bind9/lib/dns/Makefile.in
  stable/9/contrib/bind9/lib/dns/acache.c
  stable/9/contrib/bind9/lib/dns/adb.c
  stable/9/contrib/bind9/lib/dns/api
  stable/9/contrib/bind9/lib/dns/cache.c
  stable/9/contrib/bind9/lib/dns/client.c
  stable/9/contrib/bind9/lib/dns/db.c
  stable/9/contrib/bind9/lib/dns/dispatch.c
  stable/9/contrib/bind9/lib/dns/dlz.c
  stable/9/contrib/bind9/lib/dns/dnssec.c
  stable/9/contrib/bind9/lib/dns/dst_api.c
  stable/9/contrib/bind9/lib/dns/dst_internal.h
  stable/9/contrib/bind9/lib/dns/dst_openssl.h
  stable/9/contrib/bind9/lib/dns/ecdb.c
  stable/9/contrib/bind9/lib/dns/gen.c
  stable/9/contrib/bind9/lib/dns/gssapictx.c
  stable/9/contrib/bind9/lib/dns/include/dns/acache.h
  stable/9/contrib/bind9/lib/dns/include/dns/db.h
  stable/9/contrib/bind9/lib/dns/include/dns/message.h
  stable/9/contrib/bind9/lib/dns/include/dns/name.h
  stable/9/contrib/bind9/lib/dns/include/dns/ncache.h
  stable/9/contrib/bind9/lib/dns/include/dns/nsec.h
  stable/9/contrib/bind9/lib/dns/include/dns/nsec3.h
  stable/9/contrib/bind9/lib/dns/include/dns/rdata.h
  stable/9/contrib/bind9/lib/dns/include/dns/result.h
  stable/9/contrib/bind9/lib/dns/include/dns/rpz.h
  stable/9/contrib/bind9/lib/dns/include/dns/types.h
  stable/9/contrib/bind9/lib/dns/include/dns/validator.h
  stable/9/contrib/bind9/lib/dns/include/dns/view.h
  stable/9/contrib/bind9/lib/dns/include/dns/zone.h
  stable/9/contrib/bind9/lib/dns/include/dst/dst.h
  stable/9/contrib/bind9/lib/dns/master.c
  stable/9/contrib/bind9/lib/dns/message.c
  stable/9/contrib/bind9/lib/dns/name.c
  stable/9/contrib/bind9/lib/dns/ncache.c
  stable/9/contrib/bind9/lib/dns/nsec.c
  stable/9/contrib/bind9/lib/dns/nsec3.c
  stable/9/contrib/bind9/lib/dns/openssl_link.c
  stable/9/contrib/bind9/lib/dns/openssldsa_link.c
  stable/9/contrib/bind9/lib/dns/opensslecdsa_link.c
  stable/9/contrib/bind9/lib/dns/opensslgost_link.c
  stable/9/contrib/bind9/lib/dns/opensslrsa_link.c
  stable/9/contrib/bind9/lib/dns/peer.c
  stable/9/contrib/bind9/lib/dns/rbt.c
  stable/9/contrib/bind9/lib/dns/rbtdb.c
  stable/9/contrib/bind9/lib/dns/rdata.c
  stable/9/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/mx_15.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/txt_16.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
  stable/9/contrib/bind9/lib/dns/request.c
  stable/9/contrib/bind9/lib/dns/resolver.c
  stable/9/contrib/bind9/lib/dns/result.c
  stable/9/contrib/bind9/lib/dns/rootns.c
  stable/9/contrib/bind9/lib/dns/rpz.c
  stable/9/contrib/bind9/lib/dns/sdb.c
  stable/9/contrib/bind9/lib/dns/sdlz.c
  stable/9/contrib/bind9/lib/dns/spnego.c
  stable/9/contrib/bind9/lib/dns/spnego_asn1.c
  stable/9/contrib/bind9/lib/dns/ssu.c
  stable/9/contrib/bind9/lib/dns/ssu_external.c
  stable/9/contrib/bind9/lib/dns/tkey.c
  stable/9/contrib/bind9/lib/dns/tsig.c
  stable/9/contrib/bind9/lib/dns/validator.c
  stable/9/contrib/bind9/lib/dns/view.c
  stable/9/contrib/bind9/lib/dns/xfrin.c
  stable/9/contrib/bind9/lib/dns/zone.c
  stable/9/contrib/bind9/lib/export/dns/Makefile.in
  stable/9/contrib/bind9/lib/export/irs/Makefile.in
  stable/9/contrib/bind9/lib/export/isc/Makefile.in
  stable/9/contrib/bind9/lib/export/isc/include/isc/Makefile.in
  stable/9/contrib/bind9/lib/export/isc/nls/Makefile.in
  stable/9/contrib/bind9/lib/export/isc/nothreads/Makefile.in
  stable/9/contrib/bind9/lib/export/isc/pthreads/Makefile.in
  stable/9/contrib/bind9/lib/export/isc/unix/Makefile.in
  stable/9/contrib/bind9/lib/export/isccfg/Makefile.in
  stable/9/contrib/bind9/lib/export/samples/Makefile.in
  stable/9/contrib/bind9/lib/export/samples/nsprobe.c
  stable/9/contrib/bind9/lib/export/samples/sample-async.c
  stable/9/contrib/bind9/lib/export/samples/sample-gai.c
  stable/9/contrib/bind9/lib/export/samples/sample-request.c
  stable/9/contrib/bind9/lib/export/samples/sample-update.c
  stable/9/contrib/bind9/lib/export/samples/sample.c
  stable/9/contrib/bind9/lib/irs/api
  stable/9/contrib/bind9/lib/irs/dnsconf.c
  stable/9/contrib/bind9/lib/irs/getaddrinfo.c
  stable/9/contrib/bind9/lib/irs/getnameinfo.c
  stable/9/contrib/bind9/lib/irs/resconf.c
  stable/9/contrib/bind9/lib/isc/Makefile.in
  stable/9/contrib/bind9/lib/isc/api
  stable/9/contrib/bind9/lib/isc/buffer.c
  stable/9/contrib/bind9/lib/isc/include/isc/Makefile.in
  stable/9/contrib/bind9/lib/isc/include/isc/buffer.h
  stable/9/contrib/bind9/lib/isc/include/isc/file.h
  stable/9/contrib/bind9/lib/isc/include/isc/list.h
  stable/9/contrib/bind9/lib/isc/include/isc/mem.h
  stable/9/contrib/bind9/lib/isc/include/isc/namespace.h
  stable/9/contrib/bind9/lib/isc/include/isc/region.h
  stable/9/contrib/bind9/lib/isc/include/isc/sockaddr.h
  stable/9/contrib/bind9/lib/isc/include/isc/socket.h
  stable/9/contrib/bind9/lib/isc/include/isc/task.h
  stable/9/contrib/bind9/lib/isc/include/isc/timer.h
  stable/9/contrib/bind9/lib/isc/inet_aton.c
  stable/9/contrib/bind9/lib/isc/mem.c
  stable/9/contrib/bind9/lib/isc/nothreads/Makefile.in
  stable/9/contrib/bind9/lib/isc/parseint.c
  stable/9/contrib/bind9/lib/isc/pthreads/thread.c
  stable/9/contrib/bind9/lib/isc/ratelimiter.c
  stable/9/contrib/bind9/lib/isc/sockaddr.c
  stable/9/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h
  stable/9/contrib/bind9/lib/isc/symtab.c
  stable/9/contrib/bind9/lib/isc/task.c
  stable/9/contrib/bind9/lib/isc/taskpool.c
  stable/9/contrib/bind9/lib/isc/timer.c
  stable/9/contrib/bind9/lib/isc/timer_api.c
  stable/9/contrib/bind9/lib/isc/unix/entropy.c
  stable/9/contrib/bind9/lib/isc/unix/file.c
  stable/9/contrib/bind9/lib/isc/unix/include/isc/time.h
  stable/9/contrib/bind9/lib/isc/unix/net.c
  stable/9/contrib/bind9/lib/isc/unix/socket.c
  stable/9/contrib/bind9/lib/isc/unix/time.c
  stable/9/contrib/bind9/lib/isccc/api
  stable/9/contrib/bind9/lib/isccc/cc.c
  stable/9/contrib/bind9/lib/isccfg/Makefile.in
  stable/9/contrib/bind9/lib/isccfg/aclconf.c
  stable/9/contrib/bind9/lib/isccfg/api
  stable/9/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
  stable/9/contrib/bind9/lib/isccfg/namedconf.c
  stable/9/contrib/bind9/lib/isccfg/parser.c
  stable/9/contrib/bind9/lib/lwres/api
  stable/9/contrib/bind9/lib/lwres/context.c
  stable/9/contrib/bind9/lib/lwres/getaddrinfo.c
  stable/9/contrib/bind9/lib/lwres/getipnode.c
  stable/9/contrib/bind9/lib/lwres/getnameinfo.c
  stable/9/contrib/bind9/lib/lwres/getrrset.c
  stable/9/contrib/bind9/lib/lwres/lwinetaton.c
  stable/9/contrib/bind9/lib/lwres/print.c
  stable/9/contrib/bind9/ltmain.sh
  stable/9/contrib/bind9/make/rules.in
  stable/9/contrib/bind9/version
  stable/9/lib/bind/config.h
  stable/9/lib/bind/dns/code.h
  stable/9/lib/bind/dns/dns/enumtype.h
  stable/9/lib/bind/dns/dns/rdatastruct.h
  stable/9/lib/bind/isc/Makefile
  stable/9/usr.sbin/named/Makefile
Directory Properties:
  stable/9/contrib/bind9/   (props changed)
  stable/9/lib/bind/   (props changed)
  stable/9/usr.sbin/named/   (props changed)

Modified: stable/9/contrib/bind9/CHANGES
==============================================================================

--- stable/9/contrib/bind9/CHANGES	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/CHANGES	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,20 +1,392 @@
-	--- 9.8.4-P2 released ---
+	--- 9.8.5-P2 released ---
 
-3516.	[security]	Removed the check for regex.h in configure in order
-			to disable regex syntax checking, as it exposes
-			BIND to a critical flaw in libregex on some
-			platforms. [RT #32688]
+3621.	[security]	Incorrect bounds checking on private type 'keydata'
+			can lead to a remotely triggerable REQUIRE failure
+			(CVE-2013-4854). [RT #34238]
 
-	--- 9.8.4-P1 released ---
+	--- 9.8.5-P1 released ---
 
-3407.	[security]	Named could die on specific queries with dns64 enabled.
-			[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
+3584.	[security]	Caching data from an incompletely signed zone could
+			trigger an assertion failure in resolver.c [RT #33690]
 
-	--- 9.8.4 released ---
+	--- 9.8.5 released ---
+
+3568.	[cleanup]	Add a product description line to the version file,
+			to be reported by named -v/-V. [RT #33366]
+
+3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
+
+3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
+
+3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
+			or NOTIMP.  Adjust usage message. [RT #33363]
+
+	--- 9.8.5rc1 released ---
+
+3560.	[bug]		isc-config.sh did not honor includedir and libdir
+			when set via configure. [RT #33345]
+
+3559.	[func]		Check that both forms of Sender Policy Framework
+			records exist or do not exist. [RT #33355]
+
+3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
+
+3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
+
+3555.	[bug]		Address theoretical race conditions in acache.c
+			(change #3553 was incomplete). [RT #33252]
+
+3553.	[bug]		Address suspected double free in acache. [RT #33252]
+
+3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
+			[RT #33280]
+
+3549.	[doc]		Documentation for "request-nsid" was missing.
+			[RT #33153]
+
+3548.	[bug]		The NSID request code in resolver.c was broken
+			resulting in invalid EDNS options being sent.
+			[RT #33153]
+
+3547.	[bug]		Some malformed unknown rdata records were not properly
+			detected and rejected. [RT #33129]
+
+3056.	[func]		Added support for URI resource record. [RT #23386]
+
+	--- 9.8.5rc1 released ---
+
+3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
+
+3544.	[contrib]	check5011.pl: Script to report the status of
+			managed keys as recorded in managed-keys.bind.
+			Contributed by Tony Finch <dot at dotat.at>
+
+3543.	[bug]		Update socket structure before attaching to socket
+			manager after accept. [RT #33084]
+
+3542.	[bug]		masterformat system test was broken. [RT #33086]
+
+3541.	[bug]		Parts of libdns were not properly initialized when
+			built in libexport mode. [RT #33028]
+
+3540.	[test]		libt_api: t_info and t_assert were not thread safe.
+
+3539.	[port]		win32: timestamp format didn't match other platforms.
+
+3538.	[test]		Running "make test" now requires loopback interfaces
+			to be set up. [RT #32452]
+
+3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
+			to peers before being dumped to disk rather than
+			after. [RT #27242]
+
+3535.	[bug]		Minor win32 cleanups. [RT #32962]
+
+3534.	[bug]		Extra text after an embedded NULL was ignored when
+			parsing zone files. [RT #32699]
+
+3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
+
+3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
+
+3531.	[bug]		win32: A uninitialized value could be returned on out
+			of memory. [RT #32960]
+
+3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
+
+3526.	[cleanup]	Set up dependencies for unit tests correctly during
+			build. [RT #32803]
+
+3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
+
+3520.	[bug]		'mctx' was not being referenced counted in some places
+			where it should have been.  [RT #32794]
+
+	--- 9.8.5b2 released ---
+
+3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
+
+3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
+
+3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
+			rndc-confgen were too constrained. Keys up to 512
+			bits are now allowed for most algorithms, and up
+			to 1024 bits for hmac-sha384 and hmac-sha512.
+			[RT #32753]
+
+3509.	[cleanup]	Added a product line to version file to allow for
+			easy naming of different products (BIND
+			vs BIND ESV, for example). [RT #32755]
+
+3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
+			[RT #32338]
+
+3503.	[doc]		Clarify size_spec syntax. [RT #32449]
+
+3500.	[security]	Support NAPTR regular expression validation on
+			all platforms without using libregex, which
+			can be vulnerable to memory exhaustion attack
+			(CVE-2013-2266). [RT #32688]
+
+3499.	[doc]		Corrected ARM documentation of built-in zones.
+			[RT #32694]
+
+3498.	[bug]		zone statistics for zones which matched a potential
+			empty zone could have their zone-statistics setting
+			overridden.
+
+3496.	[func]		Improvements to RPZ performance. The "response-policy"
+			syntax now includes a "min-ns-dots" clause, with
+			default 1, to exclude top-level domains from
+			NSIP and NSDNAME checking. --enable-rpz-nsip and
+			--enable-rpz-nsdname are now the default. [RT #32251]
+
+3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
+			When cloning a rdataset do not copy the link contents.
+			[RT #32651]
+
+3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
+
+3487.	[bug]		Change 3444 was not complete.  There was a additional
+			place where the NOQNAME proof needed to be saved.
+			[RT #32629]
+
+3486.	[bug]		named could crash when using TKEY-negotiated keys
+			that had been deleted and then recreated. [RT #32506]
+
+3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
+
+3481.	[cleanup]	Removed use of const const in atf.
+
+3479.	[bug]		Address potential memory leaks in gssapi support
+			code. [RT #32405]
+
+3478.	[port]		Fix a build failure in strict C99 environments
+			[RT #32475]
+
+3474.	[bug]		nsupdate could assert when the local and remote
+			address families didn't match. [RT #22897]
+
+3470.	[bug]		Slave zones could fail to dump when successfully
+			refreshing after an initial failure. [RT #31276]
+
+	--- 9.8.5b1 released ---
+
+3468.	[security]	RPZ rules to generate A records (but not AAAA records)
+			could trigger an assertion failure when used in
+			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
+
+3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
+			to check for delete date < inactive date. [RT #31719]
+
+3465.	[bug]		Handle isolated reserved ports. [RT #31778]
+
+3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
+			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
+
+3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
+
+3462.	[doc]		Clarify server selection behavior of dig when using
+			-4 or -6 options. [RT #32181]
+
+3461.	[bug]		Negative responses could incorrectly have AD=1
+			set. [RT #32237]
+
+3458.	[bug]		Return FORMERR when presented with a overly long
+			domain named in a request. [RT #29682]
+
+3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
+
+3456.	[port]		g++47: ATF failed to compile. [RT #32012]
+
+3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
+
+3454.	[port]		sparc64: improve atomic support. [RT #25182]
+
+3452.	[bug]		Accept duplicate singleton records. [RT #32329]
+
+3451.	[port]		Increase per thread stack size from 64K to 1M.
+			[RT #32230]
+
+3450.	[bug]		Stop logfileconfig system test spam system logs.
+			[RT #32315]
+
+3449.	[bug]		gen.c: use the pre-processor to construct format
+			strings so that compiler can perform sanity checks;
+			check the snprintf results. [RT #17576]
+
+3448.	[bug]		The allow-query-on ACL was not processed correctly.
+			[RT #29486]
+
+3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
+
+3446.	[port]		win32: Add source ID (see change #3400) to build.
+			[RT #31683]
+
+3445.	[bug]		Warn about zone files with blank owner names
+			immediately after $ORIGIN directives. [RT #31848]
+
+3444.	[bug]		The NOQNAME proof was not being returned from cached
+			insecure responses. [RT #21409]
+
+3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
+			rejected when generating keys. [RT #31927]
+
+3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
+			change. [RT #32216]
+
+3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
+
+3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
+			cleaning up due to out of memory error. [RT #32131]
+
+3439.	[bug]		contrib/dlz error checking fixes. [RT #32102]
+
+3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
+
+3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
+			buffers with constant data. [RT #32064]
+
+3436.	[bug]		Check malloc/calloc return values. [RT #32088]
+
+3435.	[bug]		Cross compilation support in configure was broken.
+			[RT #32078]
+
+3431.	[bug]		ddns-confgen: Some valid key algorithms were
+			not accepted. [RT #31927]
+
+3430.	[bug]		win32: isc_time_formatISO8601 was missing the
+			'T' between the date and time. [RT #32044]
+
+3429.	[bug]		dns_zone_getserial2 could a return success without
+			returning a valid serial. [RT #32007]
+
+3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
+
+3427.	[bug]		dig +trace incorrectly displayed name server
+			addresses instead of names. [RT #31641]
+
+3425.	[bug]		"acacheentry" reference counting was broken resulting
+			in use after free. [RT #31908]
+
+3422.	[bug]		Added a clear error message for when the SOA does not
+			match the referral. [RT #31281]
+
+3421.	[bug]		Named loops when re-signing if all keys are offline.
+			[RT #31916]
+
+3420.	[bug]		Address VPATH compilation issues. [RT #31879]
+
+3419.	[bug]		Memory leak on validation cancel. [RT #31869]
+
+3415.	[bug]		named could die with a REQUIRE failure if a validation
+			was canceled. [RT #31804]
+
+3412.	[bug]		Copy timeval structure from control message data.
+			[RT #31548]
+
+3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
+			to UDP. [RT #31690]
+
+3410.	[bug]		Addressed Coverity warnings. [RT #31626]
+
+3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
+			from X.509 certificates, for use with DANE
+			(DNS-based Authentication of Named Entities).
+			[RT #30513]
+
+3406.	[bug]		mem.c: Fix compilation errors when building with
+			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
+			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
+
+3405.	[bug]		Handle time going backwards in acache. [RT #31253]
+
+3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
+			RRSIG and NSEC records from nodes that used to be
+			in-zone but are now below a zone cut. [RT #31556]
+
+3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
+
+3402.	[test]		The IPv6 interface numbers used for system
+			tests were incorrect on some platforms. [RT #25085]
+
+3401.	[bug]		Addressed Coverity warnings. [RT #31484]
+
+3400.	[cleanup]	"named -V" can now report a source ID string, defined
+			in the "srcid" file in the build tree and normally set
+			to the most recent git hash.  [RT #31494]
+
+3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
+
+3396.	[bug]		OPT records were incorrectly removed from signed,
+			truncated responses. [RT #31439]
+
+3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
+			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
+			[RT #31336]
+
+3394.	[bug]		Adjust 'successfully validated after lower casing
+			signer' log level and category. [RT #31414]
+
+3393.	[bug]		'host -C' could core dump if REFUSED was received.
+			[RT #31381]
+
+3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
+			[RT #31262]
+
+3390.	[bug]		Silence clang compiler warnings. [RT #30417]
+
+3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
+
+3388.	[bug]		Fixed several Coverity warnings.
+			Note: This change includes a fix for a bug that
+			was subsequently determined to be an exploitable
+			security vulnerability, CVE-2012-5688: named could
+			die on specific queries with dns64 enabled.
+			[RT #30996]
+
+3386.	[bug]		Address locking violation when generating new NSEC /
+			NSEC3 chains. [RT #31224]
+
+3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 
 3383.	[security]	A certain combination of records in the RBT could
-                        cause named to hang while populating the additional
-                        section of a response. [RT #31090]
+			cause named to hang while populating the additional
+			section of a response. [RT #31090]
+
+3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
+			if set, regardless of the address family in use.
+			[RT #24173]
+
+3381.	[contrib]	Update queryperf to support more RR types.
+			[RT #30762]
+
+3380.	[bug]		named could die if a nonexistent master list was
+			referenced in a also-notify. [RT #31004]
+
+3379.	[bug]		isc_interval_zero and isc_time_epoch should be
+			"const (type)* const". [RT #31069]
+
+3378.	[bug]		Handle missing 'managed-keys-directory' better.
+			[RT #30625]
+
+3376.	[bug]		Lack of EDNS support was being recorded without a
+			successful response. [RT #30811]
+
+3375.	[func]		Check that 'rndc dumpdb' works on a empty cache.
+			[RT #30808]
+
+3374.	[bug]		isc_parse_uint32 failed to return a range error on
+			systems with 64 bit longs. [RT #30232]
+
+3372.	[bug]		Silence spurious "deleted from unreachable cache"
+			messages.  [RT #30501]
+
+3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
+			add NS RRsets to the additional section or not.
+			[RT #30479]
+
+	--- 9.8.4 released ---
 
 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 
@@ -135,11 +507,11 @@
 	--- 9.8.3 released ---
 
 3318.	[tuning]	Reduce the amount of work performed while holding a
-			bucket lock when finshed with a fetch context.
+			bucket lock when finished with a fetch context.
 			[RT #29239]
 
-3314.	[bug]		The masters list could be updated while refesh_callback
-			and stub_callback were using it. [RT #26732]
+3314.	[bug]		The masters list could be updated while stub_callback
+			or refresh_callback were using it. [RT #26732]
 
 3313.	[protocol]	Add TLSA record type. [RT #28989]
 
@@ -151,7 +523,7 @@
 
 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 
-3309.	[bug]		resolver.c:fctx_finddone() was not threadsafe.
+3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 			[RT #27995]
 
 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
@@ -328,7 +700,7 @@
 
 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 
-3231.	[bug]		named could fail to send a uncompressable zone.
+3231.	[bug]		named could fail to send a incompressible zone.
 			[RT #26796]
 
 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
@@ -345,7 +717,7 @@
 
 3226.	[bug]		Address minor resource leakages. [RT #26624]
 
-3221.	[bug]		Fixed a potential coredump on shutdown due to
+3221.	[bug]		Fixed a potential core dump on shutdown due to
 			referencing fetch context after it's been freed.
 			[RT #26720]
 
@@ -369,7 +741,7 @@
 
 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 
-3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
+3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 			[RT #25522]
 
 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
@@ -672,7 +1044,7 @@
 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 
-3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
+3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 			timestamp when determining which keys are active.
 			[RT #23642]
 
@@ -686,7 +1058,7 @@
 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 			[RT #20256]
 
-3071.	[bug]		has_nsec could be used unintialised in
+3071.	[bug]		has_nsec could be used uninitialized in
 			update.c:next_active. [RT #20256]
 
 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
@@ -732,7 +1104,7 @@
 
 3052.	[test]		Fixed last autosign test report. [RT #23256]
 
-3051.	[bug]		NS records obsure DNAME records at the bottom of the
+3051.	[bug]		NS records obscure DNAME records at the bottom of the
 			zone if both are present. [RT #23035]
 
 3050.	[bug]		The autosign system test was timing dependent.
@@ -742,7 +1114,7 @@
 3049.	[bug]		Save and restore the gid when creating creating
 			named.pid at startup. [RT #23290]
 
-3048.	[bug]		Fully separate view key mangement. [RT #23419]
+3048.	[bug]		Fully separate view key management. [RT #23419]
 
 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 			validator.c. Tests added to dnssec system test.
@@ -1079,7 +1451,7 @@
 			no data response. [RT #21744]
 
 2952.	[port]		win32: named-checkzone and named-checkconf failed
-			to initialise winsock. [RT #21932]
+			to initialize winsock. [RT #21932]
 
 2951.	[bug]		named failed to generate a correct signed response
 			in a optout, delegation only zone with no secure
@@ -1125,7 +1497,7 @@
 			in use. [RT# 21868]
 
 2938.	[bug]		When generating signed responses, from a signed zone
-			that uses NSEC3, named would use a uninitialised
+			that uses NSEC3, named would use a uninitialized
 			pointer if it needed to skip a NSEC3 record because
 			it didn't match the selected NSEC3PARAM record for
 			zone. [RT# 21868]
@@ -1179,7 +1551,7 @@
 			revisit the issue and complete the fix later.
 			[RT #21710]
 
-2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
+2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 			allow dynamic addition and deletion of zones.
 			To enable this feature, specify a "new-zone-file"
 			option at the view or options level in named.conf.
@@ -1355,7 +1727,7 @@
 			successfully responds to the query using plain DNS.
 			[RT #20930]
 
-2873.	[bug]		Cancelling a dynamic update via the dns/client module
+2873.	[bug]		Canceling a dynamic update via the dns/client module
 			could trigger an assertion failure. [RT #21133]
 
 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
@@ -1397,7 +1769,7 @@
 
 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 
-2859.	[bug]		When cancelling validation it was possible to leak
+2859.	[bug]		When canceling validation it was possible to leak
 			memory. [RT #20800]
 
 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
@@ -1950,7 +2322,7 @@
 
 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 			DHCP.  Modify the api to isc_sockfdwatch_t (the
-			callback functon for isc_socket_fdwatchcreate)
+			callback function for isc_socket_fdwatchcreate)
 			to include information about the direction (read
 			or write) and add isc_socket_fdwatchpoke.
 			[RT #20253]
@@ -2015,7 +2387,7 @@
 			  sets the time when a key is no longer used for
 			  signing but is still published.
 			- The "unpublished" date (-U) is deprecated in
-			  favour of "deleted" (-D).
+			  favor of "deleted" (-D).
 			[RT #20247]
 
 2676.	[bug]		--with-export-installdir should have been
@@ -2461,7 +2833,7 @@
 
 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
 
-2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
+2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
 			[RT #19340]
 
 2551.	[bug]		Potential Reference leak on return. [RT #19341]
@@ -2514,7 +2886,7 @@
 
 2534.	[func]		Check NAPTR records regular expressions and
 			replacement strings to ensure they are syntactically
-			valid and consistant. [RT #18168]
+			valid and consistent. [RT #18168]
 
 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
 

Modified: stable/9/contrib/bind9/COPYRIGHT
==============================================================================
--- stable/9/contrib/bind9/COPYRIGHT	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/COPYRIGHT	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and/or distribute this software for any

Modified: stable/9/contrib/bind9/FAQ
==============================================================================
--- stable/9/contrib/bind9/FAQ	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/FAQ	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,6 +1,6 @@
 Frequently Asked Questions about BIND 9
 
-Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
+Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
 
 Copyright © 2000-2003 Internet Software Consortium.
 
@@ -869,7 +869,7 @@ A: If you run Tiger(Mac OS 10.4) or late
    Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
 
    key "rndc-key" {
-           algorithm hmac-md5;
+           algorithm hmac-sha256;
            secret "uvceheVuqf17ZwIcTydddw==";
    };
 

Modified: stable/9/contrib/bind9/FAQ.xml
==============================================================================
--- stable/9/contrib/bind9/FAQ.xml	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/FAQ.xml	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
- - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -30,6 +30,7 @@
       <year>2008</year>
       <year>2009</year>
       <year>2010</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -1564,7 +1565,7 @@ rand_irqs="3 14 15"</programlisting>
 	<informalexample>
 	  <programlisting>
 key "rndc-key" {
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 	secret "uvceheVuqf17ZwIcTydddw==";
 };</programlisting>
 	</informalexample>

Modified: stable/9/contrib/bind9/Makefile.in
==============================================================================
--- stable/9/contrib/bind9/Makefile.in	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/Makefile.in	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -61,9 +61,21 @@ tags:
 	rm -f TAGS
 	find lib bin -name "*.[ch]" -print | @ETAGS@ -
 
-check: test
+test check:
+	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
+	echo I: NOTE: The tests were not run because they require that; \
+	echo I:	the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
+	echo I:	as alias addresses on the loopback interface.  Please run; \
+	echo I:	\'bin/tests/system/ifconfig.sh up\' as root to configure; \
+	echo I:	them, then rerun the tests. Run make force-test to run the; \
+	echo I:	tests anyway.; \
+	exit 1; \
+	fi
+	${MAKE} test-force
 
-test:
+force-test: test-force
+
+test-force:
 	status=0; \
 	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
 	(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \

Modified: stable/9/contrib/bind9/README
==============================================================================
--- stable/9/contrib/bind9/README	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/README	Fri Aug 16 07:11:13 2013	(r254402)
@@ -51,6 +51,11 @@ BIND 9
         For up-to-date release notes and errata, see
         http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.8.5
+
+        BIND 9.8.5 includes several bug fixes and patches security
+        flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
+
 BIND 9.8.4
 
         BIND 9.8.4 includes several bug fixes and patches security

Modified: stable/9/contrib/bind9/aclocal.m4
==============================================================================
--- stable/9/contrib/bind9/aclocal.m4	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/aclocal.m4	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,2 +1,5 @@
-sinclude(./libtool.m4)dnl
-
+sinclude(libtool.m4/libtool.m4)dnl
+sinclude(libtool.m4/ltoptions.m4)dnl
+sinclude(libtool.m4/ltsugar.m4)dnl
+sinclude(libtool.m4/ltversion.m4)dnl
+sinclude(libtool.m4/lt~obsolete.m4)dnl

Modified: stable/9/contrib/bind9/bin/Makefile.in
==============================================================================
--- stable/9/contrib/bind9/bin/Makefile.in	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/Makefile.in	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -19,7 +19,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig dnssec tests tools nsupdate \
+SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
 		check confgen @PKCS11_TOOLS@
 TARGETS =
 

Modified: stable/9/contrib/bind9/bin/check/check-tool.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/check-tool.c	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/check/check-tool.c	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -196,6 +196,10 @@ checkns(dns_zone_t *zone, dns_name_t *na
 		a->type == dns_rdatatype_a);
 	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
 		aaaa->type == dns_rdatatype_aaaa);
+
+	if (a == NULL || aaaa == NULL)
+		return (answer);
+
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
 	hints.ai_family = PF_UNSPEC;
@@ -258,8 +262,7 @@ checkns(dns_zone_t *zone, dns_name_t *na
 		}
 		return (ISC_TRUE);
 	}
-	if (a == NULL || aaaa == NULL)
-		return (answer);
+
 	/*
 	 * Check that all glue records really exist.
 	 */
@@ -597,7 +600,7 @@ load_zone(isc_mem_t *mctx, const char *z
 
 	dns_zone_settype(zone, dns_zone_master);
 
-	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);

Modified: stable/9/contrib/bind9/bin/check/named-checkconf.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkconf.c	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/check/named-checkconf.c	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -295,6 +295,18 @@ configure_zone(const char *vclass, const
 	}
 
 	obj = NULL;
+	if (get_maps(maps, "check-spf", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKSPF;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKSPF;
+	}
+
+	obj = NULL;
 	if (get_checknames(maps, &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
 			zone_options |= DNS_ZONEOPT_CHECKNAMES;
@@ -471,6 +483,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 

Modified: stable/9/contrib/bind9/bin/check/named-checkzone.8
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkzone.8	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/check/named-checkzone.8	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -33,9 +33,9 @@
 named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .HP 18
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkzone\fR
@@ -236,6 +236,14 @@ Chroot to
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
 .RE
 .PP
+\-T \fImode\fR
+.RS 4
+Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
+\fB"warn"\fR
+(default),
+\fB"ignore"\fR.
+.RE
+.PP
 \-w \fIdirectory\fR
 .RS 4
 chdir to
@@ -281,7 +289,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br

Modified: stable/9/contrib/bind9/bin/check/named-checkzone.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkzone.c	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/check/named-checkzone.c	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -145,19 +145,21 @@ main(int argc, char **argv) {
 	if (progmode == progmode_compile) {
 		zone_options |= (DNS_ZONEOPT_CHECKNS |
 				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF |
 				 DNS_ZONEOPT_CHECKDUPRR |
 				 DNS_ZONEOPT_CHECKNAMES |
 				 DNS_ZONEOPT_CHECKNAMESFAIL |
 				 DNS_ZONEOPT_CHECKWILDCARD);
 	} else
-		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKSPF);
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((c = isc_commandline_parse(argc, argv,
-				       "c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:W:"))
+				     "c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
 	       != EOF) {
 		switch (c) {
 		case 'c':
@@ -363,6 +365,18 @@ main(int argc, char **argv) {
 			}
 			break;
 
+		case 'T':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKSPF;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+			} else {
+				fprintf(stderr, "invalid argument to -T: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
 		case 'W':
 			if (ARGCMP("warn"))
 				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
@@ -374,6 +388,7 @@ main(int argc, char **argv) {
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 

Modified: stable/9/contrib/bind9/bin/check/named-checkzone.docbook
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkzone.docbook	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/check/named-checkzone.docbook	Fri Aug 16 07:11:13 2013	(r254402)
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "—">]>
 <!--
- - Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009, 2010, 2013  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -38,6 +38,7 @@
       <year>2007</year>
       <year>2009</year>
       <year>2010</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -75,6 +76,7 @@
       <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
       <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-D</option></arg>
       <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
@@ -98,6 +100,7 @@
       <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-D</option></arg>
       <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
@@ -380,6 +383,18 @@
       </varlistentry>
 
       <varlistentry>
+	<term>-T <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	    Check if Sender Policy Framework records (TXT and SPF)
+	    both exist or both don't exist.  A warning is issued
+	    if they don't match.  Possible modes are
+	    <command>"warn"</command> (default), <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-w <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>

Modified: stable/9/contrib/bind9/bin/check/named-checkzone.html
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkzone.html	Fri Aug 16 07:03:28 2013	(r254401)
+++ stable/9/contrib/bind9/bin/check/named-checkzone.html	Fri Aug 16 07:11:13 2013	(r254402)
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,11 +29,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em 
 class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</co
 de></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em 
 class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</co
 de></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543696"></a><h2>DESCRIPTION</h2>
+<a name="id2543716"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,7 +53,7 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543731"></a><h2>OPTIONS</h2>
+<a name="id2543751"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -214,6 +214,13 @@
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
           </p></dd>
+<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if Sender Policy Framework records (TXT and SPF)
+	    both exist or both don't exist.  A warning is issued
+	    if they don't match.  Possible modes are
+	    <span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             chdir to <code class="filename">directory</code> so that
@@ -247,14 +254,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544446"></a><h2>RETURN VALUES</h2>
+<a name="id2544422"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544458"></a><h2>SEE ALSO</h2>
+<a name="id2544434"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -262,7 +269,7 @@

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
