svn commit: r288577 - in stable/9: contrib/bind9 contrib/bind9/bin/check contrib/bind9/bin/confgen contrib/bind9/bin/dig contrib/bind9/bin/dnssec contrib/bind9/bin/named contrib/bind9/bin/named/inc...

Erwin Lansing erwin at FreeBSD.org
Sat Oct 3 09:33:33 UTC 2015


Author: erwin
Date: Sat Oct  3 09:33:29 2015
New Revision: 288577
URL: https://svnweb.freebsd.org/changeset/base/288577

Log:
  Update BIND to 9.9.8
  
  See release notes for notable changes:
  https://kb.isc.org/article/AA-01305
  
  Note this is a direct commit to stable/9 as BIND is no longer in head.
  
  Sponsored by:	DK Hostmaster A/S

Added:
  stable/9/contrib/bind9/doc/arm/html-fixup.pl
     - copied unchanged from r288438, vendor/bind9/dist/doc/arm/html-fixup.pl
Modified:
  stable/9/contrib/bind9/CHANGES
  stable/9/contrib/bind9/README
  stable/9/contrib/bind9/bin/check/check-tool.c
  stable/9/contrib/bind9/bin/check/named-checkconf.c
  stable/9/contrib/bind9/bin/check/named-checkzone.c
  stable/9/contrib/bind9/bin/confgen/keygen.c
  stable/9/contrib/bind9/bin/confgen/util.c
  stable/9/contrib/bind9/bin/dig/dig.1
  stable/9/contrib/bind9/bin/dig/dig.c
  stable/9/contrib/bind9/bin/dig/dig.docbook
  stable/9/contrib/bind9/bin/dig/dig.html
  stable/9/contrib/bind9/bin/dig/dighost.c
  stable/9/contrib/bind9/bin/dig/nslookup.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
  stable/9/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
  stable/9/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
  stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-revoke.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-settime.c
  stable/9/contrib/bind9/bin/dnssec/dnssec-signzone.c
  stable/9/contrib/bind9/bin/named/client.c
  stable/9/contrib/bind9/bin/named/config.c
  stable/9/contrib/bind9/bin/named/control.c
  stable/9/contrib/bind9/bin/named/include/named/lwdclient.h
  stable/9/contrib/bind9/bin/named/include/named/main.h
  stable/9/contrib/bind9/bin/named/include/named/server.h
  stable/9/contrib/bind9/bin/named/interfacemgr.c
  stable/9/contrib/bind9/bin/named/logconf.c
  stable/9/contrib/bind9/bin/named/lwdclient.c
  stable/9/contrib/bind9/bin/named/lwresd.c
  stable/9/contrib/bind9/bin/named/main.c
  stable/9/contrib/bind9/bin/named/named.8
  stable/9/contrib/bind9/bin/named/named.docbook
  stable/9/contrib/bind9/bin/named/named.html
  stable/9/contrib/bind9/bin/named/query.c
  stable/9/contrib/bind9/bin/named/server.c
  stable/9/contrib/bind9/bin/named/statschannel.c
  stable/9/contrib/bind9/bin/named/update.c
  stable/9/contrib/bind9/bin/named/xfrout.c
  stable/9/contrib/bind9/bin/nsupdate/nsupdate.1
  stable/9/contrib/bind9/bin/nsupdate/nsupdate.c
  stable/9/contrib/bind9/bin/nsupdate/nsupdate.docbook
  stable/9/contrib/bind9/bin/nsupdate/nsupdate.html
  stable/9/contrib/bind9/bin/rndc/rndc.8
  stable/9/contrib/bind9/bin/rndc/rndc.c
  stable/9/contrib/bind9/bin/rndc/rndc.docbook
  stable/9/contrib/bind9/bin/rndc/rndc.html
  stable/9/contrib/bind9/bin/rndc/util.c
  stable/9/contrib/bind9/bin/tools/arpaname.c
  stable/9/contrib/bind9/bin/tools/isc-hmac-fixup.c
  stable/9/contrib/bind9/bin/tools/named-journalprint.c
  stable/9/contrib/bind9/config.h.in
  stable/9/contrib/bind9/configure.in
  stable/9/contrib/bind9/doc/arm/Bv9ARM-book.xml
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
  stable/9/contrib/bind9/doc/arm/Makefile.in
  stable/9/contrib/bind9/doc/arm/man.arpaname.html
  stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
  stable/9/contrib/bind9/doc/arm/man.dig.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html
  stable/9/contrib/bind9/doc/arm/man.genrandom.html
  stable/9/contrib/bind9/doc/arm/man.host.html
  stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
  stable/9/contrib/bind9/doc/arm/man.named-checkconf.html
  stable/9/contrib/bind9/doc/arm/man.named-checkzone.html
  stable/9/contrib/bind9/doc/arm/man.named-journalprint.html
  stable/9/contrib/bind9/doc/arm/man.named.html
  stable/9/contrib/bind9/doc/arm/man.nsec3hash.html
  stable/9/contrib/bind9/doc/arm/man.nsupdate.html
  stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html
  stable/9/contrib/bind9/doc/arm/man.rndc.conf.html
  stable/9/contrib/bind9/doc/arm/man.rndc.html
  stable/9/contrib/bind9/doc/arm/notes.html
  stable/9/contrib/bind9/doc/arm/notes.pdf
  stable/9/contrib/bind9/doc/arm/notes.xml
  stable/9/contrib/bind9/doc/misc/rfc-compliance
  stable/9/contrib/bind9/isc-config.sh.in
  stable/9/contrib/bind9/lib/bind9/api
  stable/9/contrib/bind9/lib/bind9/check.c
  stable/9/contrib/bind9/lib/dns/adb.c
  stable/9/contrib/bind9/lib/dns/api
  stable/9/contrib/bind9/lib/dns/cache.c
  stable/9/contrib/bind9/lib/dns/callbacks.c
  stable/9/contrib/bind9/lib/dns/client.c
  stable/9/contrib/bind9/lib/dns/diff.c
  stable/9/contrib/bind9/lib/dns/dispatch.c
  stable/9/contrib/bind9/lib/dns/dlz.c
  stable/9/contrib/bind9/lib/dns/dnssec.c
  stable/9/contrib/bind9/lib/dns/dst_api.c
  stable/9/contrib/bind9/lib/dns/dst_openssl.h
  stable/9/contrib/bind9/lib/dns/dst_parse.c
  stable/9/contrib/bind9/lib/dns/gssapi_link.c
  stable/9/contrib/bind9/lib/dns/gssapictx.c
  stable/9/contrib/bind9/lib/dns/hmac_link.c
  stable/9/contrib/bind9/lib/dns/include/dns/adb.h
  stable/9/contrib/bind9/lib/dns/include/dns/log.h
  stable/9/contrib/bind9/lib/dns/include/dns/message.h
  stable/9/contrib/bind9/lib/dns/include/dns/name.h
  stable/9/contrib/bind9/lib/dns/include/dns/resolver.h
  stable/9/contrib/bind9/lib/dns/include/dns/result.h
  stable/9/contrib/bind9/lib/dns/include/dns/rrl.h
  stable/9/contrib/bind9/lib/dns/include/dns/stats.h
  stable/9/contrib/bind9/lib/dns/include/dns/types.h
  stable/9/contrib/bind9/lib/dns/include/dns/update.h
  stable/9/contrib/bind9/lib/dns/include/dns/zone.h
  stable/9/contrib/bind9/lib/dns/include/dst/dst.h
  stable/9/contrib/bind9/lib/dns/journal.c
  stable/9/contrib/bind9/lib/dns/keytable.c
  stable/9/contrib/bind9/lib/dns/log.c
  stable/9/contrib/bind9/lib/dns/master.c
  stable/9/contrib/bind9/lib/dns/message.c
  stable/9/contrib/bind9/lib/dns/name.c
  stable/9/contrib/bind9/lib/dns/ncache.c
  stable/9/contrib/bind9/lib/dns/nsec.c
  stable/9/contrib/bind9/lib/dns/nsec3.c
  stable/9/contrib/bind9/lib/dns/openssl_link.c
  stable/9/contrib/bind9/lib/dns/openssldh_link.c
  stable/9/contrib/bind9/lib/dns/openssldsa_link.c
  stable/9/contrib/bind9/lib/dns/opensslecdsa_link.c
  stable/9/contrib/bind9/lib/dns/opensslgost_link.c
  stable/9/contrib/bind9/lib/dns/opensslrsa_link.c
  stable/9/contrib/bind9/lib/dns/order.c
  stable/9/contrib/bind9/lib/dns/private.c
  stable/9/contrib/bind9/lib/dns/rbt.c
  stable/9/contrib/bind9/lib/dns/rbtdb.c
  stable/9/contrib/bind9/lib/dns/rdata.c
  stable/9/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
  stable/9/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/caa_257.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/cdnskey_60.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/cds_59.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/cert_37.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/cname_5.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/dname_39.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/ds_43.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/eui48_108.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/eui64_109.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/hip_55.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/key_25.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/l32_105.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/l64_106.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/loc_29.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/lp_107.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/mb_7.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/md_3.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/mf_4.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/mg_8.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/mr_9.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/mx_15.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/naptr_35.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/nid_104.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/ns_2.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/null_10.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/openpgpkey_61.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/opt_41.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/proforma.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/rp_17.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/rt_21.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/sig_24.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/soa_6.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/spf_99.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/txt_16.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/uri_256.c
  stable/9/contrib/bind9/lib/dns/rdata/generic/x25_19.c
  stable/9/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/a_1.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/px_26.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
  stable/9/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
  stable/9/contrib/bind9/lib/dns/request.c
  stable/9/contrib/bind9/lib/dns/resolver.c
  stable/9/contrib/bind9/lib/dns/result.c
  stable/9/contrib/bind9/lib/dns/rpz.c
  stable/9/contrib/bind9/lib/dns/rrl.c
  stable/9/contrib/bind9/lib/dns/sdb.c
  stable/9/contrib/bind9/lib/dns/sdlz.c
  stable/9/contrib/bind9/lib/dns/spnego.c
  stable/9/contrib/bind9/lib/dns/tcpmsg.c
  stable/9/contrib/bind9/lib/dns/tkey.c
  stable/9/contrib/bind9/lib/dns/tsig.c
  stable/9/contrib/bind9/lib/dns/update.c
  stable/9/contrib/bind9/lib/dns/view.c
  stable/9/contrib/bind9/lib/dns/xfrin.c
  stable/9/contrib/bind9/lib/dns/zone.c
  stable/9/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in
  stable/9/contrib/bind9/lib/export/samples/nsprobe.c
  stable/9/contrib/bind9/lib/export/samples/sample-async.c
  stable/9/contrib/bind9/lib/export/samples/sample-gai.c
  stable/9/contrib/bind9/lib/export/samples/sample-request.c
  stable/9/contrib/bind9/lib/export/samples/sample-update.c
  stable/9/contrib/bind9/lib/export/samples/sample.c
  stable/9/contrib/bind9/lib/irs/api
  stable/9/contrib/bind9/lib/irs/getaddrinfo.c
  stable/9/contrib/bind9/lib/isc/api
  stable/9/contrib/bind9/lib/isc/assertions.c
  stable/9/contrib/bind9/lib/isc/backtrace.c
  stable/9/contrib/bind9/lib/isc/commandline.c
  stable/9/contrib/bind9/lib/isc/entropy.c
  stable/9/contrib/bind9/lib/isc/error.c
  stable/9/contrib/bind9/lib/isc/heap.c
  stable/9/contrib/bind9/lib/isc/hmacmd5.c
  stable/9/contrib/bind9/lib/isc/hmacsha.c
  stable/9/contrib/bind9/lib/isc/httpd.c
  stable/9/contrib/bind9/lib/isc/include/isc/app.h
  stable/9/contrib/bind9/lib/isc/include/isc/mem.h
  stable/9/contrib/bind9/lib/isc/include/isc/namespace.h
  stable/9/contrib/bind9/lib/isc/include/isc/platform.h.in
  stable/9/contrib/bind9/lib/isc/include/isc/print.h
  stable/9/contrib/bind9/lib/isc/include/isc/safe.h
  stable/9/contrib/bind9/lib/isc/include/isc/util.h
  stable/9/contrib/bind9/lib/isc/lex.c
  stable/9/contrib/bind9/lib/isc/lib.c
  stable/9/contrib/bind9/lib/isc/mem.c
  stable/9/contrib/bind9/lib/isc/pool.c
  stable/9/contrib/bind9/lib/isc/print.c
  stable/9/contrib/bind9/lib/isc/pthreads/mutex.c
  stable/9/contrib/bind9/lib/isc/regex.c
  stable/9/contrib/bind9/lib/isc/rwlock.c
  stable/9/contrib/bind9/lib/isc/safe.c
  stable/9/contrib/bind9/lib/isc/socket_api.c
  stable/9/contrib/bind9/lib/isc/stats.c
  stable/9/contrib/bind9/lib/isc/task.c
  stable/9/contrib/bind9/lib/isc/timer.c
  stable/9/contrib/bind9/lib/isc/unix/app.c
  stable/9/contrib/bind9/lib/isc/unix/file.c
  stable/9/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
  stable/9/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
  stable/9/contrib/bind9/lib/isc/unix/net.c
  stable/9/contrib/bind9/lib/isc/unix/socket.c
  stable/9/contrib/bind9/lib/isccc/Makefile.in
  stable/9/contrib/bind9/lib/isccc/alist.c
  stable/9/contrib/bind9/lib/isccc/api
  stable/9/contrib/bind9/lib/isccc/cc.c
  stable/9/contrib/bind9/lib/isccc/sexpr.c
  stable/9/contrib/bind9/lib/isccfg/api
  stable/9/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
  stable/9/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
  stable/9/contrib/bind9/lib/isccfg/namedconf.c
  stable/9/contrib/bind9/lib/isccfg/parser.c
  stable/9/contrib/bind9/lib/lwres/api
  stable/9/contrib/bind9/lib/lwres/herror.c
  stable/9/contrib/bind9/lib/lwres/man/lwres.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_config.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_context.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html
  stable/9/contrib/bind9/lib/lwres/print.c
  stable/9/contrib/bind9/version
  stable/9/lib/bind/config.h
  stable/9/lib/bind/isc/isc/platform.h
  stable/9/lib/bind/lwres/lwres/platform.h
Directory Properties:
  stable/9/contrib/bind9/   (props changed)

Modified: stable/9/contrib/bind9/CHANGES
==============================================================================
--- stable/9/contrib/bind9/CHANGES	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/CHANGES	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,14 +1,318 @@
-	--- 9.9.7-P2 released ---
+	--- 9.9.8 released ---
+
+	--- 9.9.8rc1 released ---
+
+4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
+			[RT #40427]
+
+4192.	[bug]		The default rrset-order of random was not always being
+			applied. [RT #40456]
+
+4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
+			as per RFC 6763. [RT #37889]
+
+4190.	[protocol]	Accept Active Diretory gc._msdcs.<forest> name as
+			valid with check-names.  <forest> still needs to be
+			LDH. [RT #40399]
+
+4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
+			[RT #40418]
+
+4188.	[bug]		Support HTTP/1.0 client properly on the statistics
+			channel. [RT #40261]
+
+4187.	[func]		When any RR type implementation doesn't
+			implement totext() for the RDATA's wire
+			representation and returns ISC_R_NOTIMPLEMENTED,
+			such RDATA is now printed in unknown
+			presentation format (RFC 3597). RR types affected
+			include LOC(29) and APL(42). [RT #40317].
+
+4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
+			code. Also, the timing-safe comparison functions have
+			been renamed to avoid possible confusion with
+			memcmp(). Thanks to Loganaden Velvindron of
+			AFRINIC. [RT #40148]
+
+4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
+			[RT #40297]
+
+4181.	[bug]		Queued notify messages could be dequeued from the
+			wrong rate limiter queue. [RT #40350]
+
+4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
+			[RT #40209]
+
+4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
+			text. [RT #40274]
+
+4177.	[bug]		Fix assertion failure in parsing NSAP records from
+			text. [RT #40285]
+
+4176.	[bug]		Address race issues with lwresd. [RT #40284]
+
+4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
+			[RT #40333]
+
+4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
+			suffixes correctly. [RT #38444]
+
+4173.	[bug]		dig +sigchase was not properly matching the trusted
+			key. [RT #40188]
+
+4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
+			[RT #40265]
+
+4171.	[bug]		Fixed incorrect class checks in TSIG RR
+			implementation. [RT #40287]
+
+4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+			rdatatype could trigger an assertion failure.
+			(CVE-2015-5986) [RT #40286]
+
+4169.	[test]		Added a 'wire_test -d' option to read input as
+			raw binary data, for use as a fuzzing harness.
+			[RT #40312]
+
+4168.	[security]	A buffer accounting error could trigger an
+			assertion failure when parsing certain malformed
+			DNSSEC keys. (CVE-2015-5722) [RT #40212]
+
+	--- 9.9.8b1 released ---
 
 4165.	[security]	A failure to reset a value to NULL in tkey.c could
 			result in an assertion failure. (CVE-2015-5477)
 			[RT #40046]
 
-	--- 9.9.7-P1 released ---
+4164.	[bug]		Don't rename slave files and journals on out of memory.
+			[RT #40033]
+
+4163.	[bug]		Address compiler warnings. [RT #40024]
+
+4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
+
+4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
+
+4158.	[protocol]	Support the printing of EDNS COOKIE and EXPIRE options.
+			[RT #39928]
+
+4154.	[bug]		A OPT record should be included with the FORMERR
+			response when there is a malformed EDNS option.
+			[RT #39647]
+
+4153.	[bug]		Check that non significant ECS bits are zero on
+			receipt. [RT #39647]
+
+4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
+
+4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
+			minimal fix.  [RT #39667]
+
+4149.	[bug]		Fixed a race condition in the getaddrinfo()
+			implementation in libirs. [RT #39899]
+
+4148.	[bug]		Fix a bug when printing zone names with '/' character
+			in XML and JSON statistics output. [RT #39873]
+
+4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
+			was returning referrals rather than nodata responses
+			when the AAAA records were filtered.  [RT #39843]
 
-4138.	[bug]		An uninitialized value in validator.c could result
+4146.	[bug]		Address reference leak that could prevent a clean
+			shutdown. [RT #37125]
+
+4145.	[bug]		Not all unassociated adb entries where being printed.
+			[RT #37125]
+
+4143.	[bug]		serial-query-rate was not effective for notify.
+			[RT #39858]
+
+4142.	[bug]		rndc addzone with view specified saved NZF config
+			that could not be read back by named. This has now
+			been fixed. [RT #39845]
+
+4138.	[security]	An uninitialized value in validator.c could result
 			in an assertion failure. (CVE-2015-4620) [RT #39795]
 
+4137.	[bug]		Make rndc reconfig report configuration errors the
+			same way rndc reload does. [RT #39635]
+
+4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
+			added +class as an unabbreviated alternative
+			to +cl. [RT #39686]
+
+4130.	[bug]		The compatibility shim for *printf() misprinted some
+			large numbers. [RT #39586]
+
+4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
+
+4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
+
+4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
+			key as per RFC 7344, Section 4.1. [RT #37215]
+
+4123.	[port]		Added %z (size_t) format options to the portable
+			internal printf/sprintf implementation. [RT #39586]
+
+4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
+
+4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
+
+4113.	[test]		Check for Net::DNS is some system test
+			prerequisites. [RT #39369]
+
+4112.	[bug]		Named failed to load when "root-delegation-only"
+			was used without a list of domains to exclude.
+			[RT #39380]
+
+4111.	[doc]		Alphabetize rndc man page. [RT #39360]
+
+4110.	[bug]		Address memory leaks / null pointer dereferences
+			on out of memory. [RT #39310]
+
+4109.	[port]		linux: support reading the local port range from
+			net.ipv4.ip_local_port_range. [RT # 39379]
+
+4107.	[bug]		Address potential deadlock when updating zone content.
+			[RT #39269]
+
+4106.	[port]		Improve readline support. [RT #38938]
+
+4105.	[port]		Misc fixes for Microsoft Visual Studio
+			2015 CTP6 in 64 bit mode. [RT #39308]
+
+4104.	[bug]		Address uninitialized elements. [RT #39252]
+
+4102.	[bug]		Fix a use after free bug introduced in change
+			#4094.  [RT #39281]
+
+4101.	[bug]		dig: the +split option didn't work with +short.
+			[RT #39291]
+
+4100.	[bug]		Inherited owernames on the line immediately following
+			a $INCLUDE were not working.  [RT #39268]
+
+4099.	[port]		clang: make unknown commandline options hard errors
+			when determining what options are supported.
+			[RT #39273]
+
+4098.	[bug]		Address use-after-free issue when using a
+			predecessor key with dnssec-settime. [RT #39272]
+
+4097.	[func]		Add additional logging about xfrin transfer status.
+			[RT #39170]
+
+4096.	[bug]		Fix a use after free of query->sendevent.
+			[RT #39132]
+
+4094.	[bug]		A race during shutdown or reconfiguration could
+			cause an assertion in mem.c. [RT #38979]
+
+4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
+
+4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
+			presentation format, i.e., from text such as
+			from master files. Thanks to John Van de
+			Meulebrouck Brendgard for discovering and
+			reporting this problem. [RT #39003]
+
+4089.	[bug]		Send notifies immediately for slave zones during
+			startup. [RT #38843]
+
+4088.	[port]		Fixed errors when building with libressl. [RT #38899]
+
+4087.	[bug]		Fix a crash due to use-after-free due to sequencing
+			of tasks actions. [RT #38495]
+
+4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
+			[RT #38828]
+
+4084.	[bug]		Fix a possible race in updating stats counters.
+			[RT #38826]
+
+4082.	[bug]		Incrementally sign large inline zone deltas.
+			[RT #37927]
+
+4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
+
+4077.	[test]		Add static-stub regression test for DS NXDOMAIN
+			return making the static stub disappear. [RT #38564]
+
+4076.	[bug]		Named could crash on shutdown with outstanding
+			reload / reconfig events. [RT #38622]
+
+4075.	[bug]		Increase nsupdate's input buffer to accomodate
+			very large RRs. [RT #38689]
+
+4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
+
+4073.	[cleanup]	Add libjson-c version number reporting to
+			"named -V"; normalize version number formatting.
+			[RT #38056]
+
+4072.	[func]		Add a --enable-querytrace configure switch for
+			very verbose query trace logging. (This option
+			has a negative performance impact and should be
+			used only for debugging.) [RT #37520]
+
+4070.	[bug]		Fix a segfault in nslookup in a query such as
+			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
+			[RT #38548]
+
+4069.	[doc]		Reorganize options in the nsupdate man page.
+			[RT #38515]
+
+4067.	[cleanup]	Reduce noise from RRL when query logging is
+			disabled. [RT #38648]
+
+4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
+
+4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
+			of DNSSEC keys with timing set to implement a
+			pre-publication key rollover strategy. Thanks
+			to Jeffry A. Spain. [RT #38459]
+
+4063.	[bug]		Asynchronous zone loads were not handled
+			correctly when the zone load was already in
+			progress; this could trigger a crash in zt.c.
+			[RT #37573]
+
+4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
+			read succeeded, it doesn't result in a bug
+			during operation. If the read failed, named
+			could segfault. [RT #38559]
+
+3938.	[func]		Added quotas to be used in recursive resolvers
+			that are under high query load for names in zones
+			whose authoritative servers are nonresponsive or
+			are experiencing a denial of service attack.
+
+			- "fetches-per-server" limits the number of
+			  simultaneous queries that can be sent to any
+			  single authoritative server.  The configured
+			  value is a starting point; it is automatically
+			  adjusted downward if the server is partially or
+			  completely non-responsive. The algorithm used to
+			  adjust the quota can be configured via the
+			  "fetch-quota-params" option.
+			- "fetches-per-zone" limits the number of
+			  simultaneous queries that can be sent for names
+			  within a single domain.  (Note: Unlike
+			  "fetches-per-server", this value is not
+			  self-tuning.)
+			- New stats counters have been added to count
+			  queries spilled due to these quotas.
+
+			These options are not available by default;
+			use "configure --enable-fetchlimit" (or
+			--enable-developer) to include them in the build.
+
+			See the ARM for details of these options. [RT #37125]
+
+3937.	[func]		Added some debug logging to better indicate the
+			conditions causing SERVFAILs when resolving.
+			[RT #35538]
+
 	--- 9.9.7 released ---
 
 	--- 9.9.7rc2 released ---
@@ -16,7 +320,7 @@
 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 
 4060.	[bug]		dns_rdata_freestruct could be called on a
-			uninitialised structure when handling a error.
+			uninitialized structure when handling a error.
 			[RT #38568]
 
 4059.	[bug]		Addressed valgrind warnings. [RT #38549]

Modified: stable/9/contrib/bind9/README
==============================================================================
--- stable/9/contrib/bind9/README	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/README	Sat Oct  3 09:33:29 2015	(r288577)
@@ -51,15 +51,35 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.9.7-P2
+BIND 9.9.8
 
-       BIND 9.9.7-P1 is a security release addressing the flaw
-       described in CVE-2015-5477.
+	BIND 9.9.8 is a maintenance release and addresses bugs
+	found in BIND 9.9.7 and earlier, as well as the security
+	flaws described in CVE-2015-4620, CVE-2015-5477,
+	CVE-2015-5722, and CVE-2015-5986.
+
+	It also makes the following new features available via a
+	compile-time option:
+
+	- New "fetchlimit" quotas are now available for the use of
+	  recursive resolvers that are are under high query load for
+	  domains whose authoritative servers are nonresponsive or are
+	  experiencing a denial of service attack.
+
+	  + "fetches-per-server" limits the number of simultaneous queries
+	    that can be sent to any single authoritative server.  The
+	    configured value is a starting point; it is automatically
+	    adjusted downward if the server is partially or completely
+	    non-responsive. The algorithm used to adjust the quota can be
+	    configured via the "fetch-quota-params" option.
+	  + "fetches-per-zone" limits the number of simultaneous queries
+	    that can be sent for names within a single domain.  (Note:
+	    Unlike "fetches-per-server", this value is not self-tuning.)
+	  + New stats counters have been added to count
+	    queries spilled due to these quotas.
 
-BIND 9.9.7-P1
-
-       BIND 9.9.7-P1 is a security release addressing the flaw
-       described in CVE-2015-4620.
+	  NOTE: These options are NOT built in by default; use
+	  "configure --enable-fetchlimit" to enable them.
 
 BIND 9.9.7
 

Modified: stable/9/contrib/bind9/bin/check/check-tool.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/check-tool.c	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/check/check-tool.c	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -33,6 +33,7 @@
 #include <isc/mem.h>
 #include <isc/netdb.h>
 #include <isc/net.h>
+#include <isc/print.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
 #include <isc/string.h>

Modified: stable/9/contrib/bind9/bin/check/named-checkconf.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkconf.c	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/check/named-checkconf.c	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -31,6 +31,7 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>

Modified: stable/9/contrib/bind9/bin/check/named-checkzone.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkzone.c	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/check/named-checkzone.c	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -30,6 +30,7 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/socket.h>
 #include <isc/string.h>
 #include <isc/task.h>

Modified: stable/9/contrib/bind9/bin/confgen/keygen.c
==============================================================================
--- stable/9/contrib/bind9/bin/confgen/keygen.c	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/confgen/keygen.c	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -29,6 +29,7 @@
 #include <isc/file.h>
 #include <isc/keyboard.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 

Modified: stable/9/contrib/bind9/bin/confgen/util.c
==============================================================================
--- stable/9/contrib/bind9/bin/confgen/util.c	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/confgen/util.c	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -25,6 +25,7 @@
 #include <stdio.h>
 
 #include <isc/boolean.h>
+#include <isc/print.h>
 
 #include "util.h"
 

Modified: stable/9/contrib/bind9/bin/dig/dig.1
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dig.1	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/dig/dig.1	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -130,77 +130,97 @@ will perform a lookup for an A record.
 .RE
 .SH "OPTIONS"
 .PP
-The
-\fB\-b\fR
-option sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
+\-4
+.RS 4
+Use IPv4 only.
+.RE
 .PP
-The default query class (IN for internet) is overridden by the
-\fB\-c\fR
-option.
+\-6
+.RS 4
+Use IPv6 only.
+.RE
+.PP
+\-b \fIaddress\fR\fI[#port]\fR
+.RS 4
+Set the source IP address of the query. The
+\fIaddress\fR
+must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Set the query class. The default
 \fIclass\fR
-is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
+is IN; other classes are HS for Hesiod records or CH for Chaosnet records.
+.RE
 .PP
-The
-\fB\-f\fR
-option makes
-\fBdig \fR
-operate in batch mode by reading a list of lookup requests to process from the file
-\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
+\-f \fIfile\fR
+.RS 4
+Batch mode:
+\fBdig\fR
+reads a list of lookup requests to process from the given
+\fIfile\fR. Each line in the file should be organized in the same way they would be presented as queries to
 \fBdig\fR
 using the command\-line interface.
+.RE
 .PP
-The
-\fB\-m\fR
-option enables memory usage debugging.
-.PP
-If a non\-standard port number is to be queried, the
-\fB\-p\fR
-option is used.
-\fIport#\fR
-is the port number that
-\fBdig\fR
-will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
+\-i
+.RS 4
+Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT domain, which is no longer in use. Obsolete bit string label queries (RFC2874) are not attempted.
+.RE
 .PP
-The
-\fB\-4\fR
-option forces
-\fBdig\fR
-to only use IPv4 query transport. The
-\fB\-6\fR
-option forces
-\fBdig\fR
-to only use IPv6 query transport.
+\-k \fIkeyfile\fR
+.RS 4
+Sign queries using TSIG using a key read from the given file. Key files can be generated using
+\fBtsig\-keygen\fR(8). When using TSIG authentication with
+\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
+\fBkey\fR
+and
+\fBserver\fR
+statements in
+\fInamed.conf\fR.
+.RE
 .PP
-The
-\fB\-t\fR
-option sets the query type to
-\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
+\-m
+.RS 4
+Enable memory usage debugging.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Send the query to a non\-standard port on the server, instead of the defaut port 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
+.RE
+.PP
+\-q \fIname\fR
+.RS 4
+The domain name to query. This is useful to distinguish the
+\fIname\fR
+from other arguments.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+The resource record type to query. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
 \fB\-x\fR
-option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
+option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, set the
 \fItype\fR
-is set to
+to
 ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
 \fIN\fR.
+.RE
 .PP
-The
-\fB\-q\fR
-option sets the query name to
-\fIname\fR. This is useful to distinguish the
-\fIname\fR
-from other arguments.
-.PP
-The
-\fB\-v\fR
-causes
-\fBdig\fR
-to print the version number and exit.
+\-v
+.RS 4
+Print the version number and exit.
+.RE
 .PP
-Reverse lookups \(em mapping addresses to names \(em are simplified by the
-\fB\-x\fR
-option.
+\-x \fIaddr\fR
+.RS 4
+Simplified reverse lookups, for mapping addresses to names. The
 \fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When the
+\fB\-x\fR
+is used, there is no need to provide the
 \fIname\fR,
 \fIclass\fR
 and
@@ -208,35 +228,41 @@ and
 arguments.
 \fBdig\fR
 automatically performs a lookup for a name like
-11.12.13.10.in\-addr.arpa
-and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the
+94.2.0.192.in\-addr.arpa
+and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain (but see also the
 \fB\-i\fR
-option. Bit string labels (RFC2874) are now experimental and are not attempted.
+option).
+.RE
 .PP
-To sign the DNS queries sent by
-\fBdig\fR
-and their responses using transaction signatures (TSIG), specify a TSIG key file using the
+\-y \fI[hmac:]\fR\fIkeyname:secret\fR
+.RS 4
+Sign queries using TSIG with the given authentication key.
+\fIkeyname\fR
+is the name of the key, and
+\fIsecret\fR
+is the base64 encoded shared secret.
+\fIhmac\fR
+is the name of the key algorithm; valid choices are
+hmac\-md5,
+hmac\-sha1,
+hmac\-sha224,
+hmac\-sha256,
+hmac\-sha384, or
+hmac\-sha512. If
+\fIhmac\fR
+is not specified, the default is
+hmac\-md5.
+.sp
+NOTE: You should use the
 \fB\-k\fR
-option. You can also specify the TSIG key itself on the command line using the
+option and avoid the
 \fB\-y\fR
-option;
-\fIhmac\fR
-is the type of the TSIG, default HMAC\-MD5,
-\fIname\fR
-is the name of the TSIG key and
-\fIkey\fR
-is the actual key. The key is a base\-64 encoded string, typically generated by
-\fBdnssec\-keygen\fR(8). Caution should be taken when using the
+option, because with
 \fB\-y\fR
-option on multi\-user systems as the key can be visible in the output from
+the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
 \fBps\fR(1)
-or in the shell's history file. When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
-\fBkey\fR
-and
-\fBserver\fR
-statements in
-\fInamed.conf\fR.
+or in a history file maintained by the user's shell.
+.RE
 .SH "QUERY OPTIONS"
 .PP
 \fBdig\fR
@@ -245,7 +271,10 @@ provides a number of query options which
 Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. The query options are:
+\fB+keyword=value\fR. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
++cd
+is equivalent to
++cdflag. The query options are:
 .PP
 \fB+[no]aaflag\fR
 .RS 4
@@ -300,7 +329,7 @@ bytes. The maximum and minimum sizes of 
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
 .RE
 .PP
-\fB+[no]cl\fR
+\fB+[no]class\fR
 .RS 4
 Display [do not display] the CLASS when printing the record.
 .RE
@@ -421,6 +450,12 @@ Print [do not print] the query as it is 
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
 .RE
 .PP
+\fB+[no]rdflag\fR
+.RS 4
+A synonym for
+\fI+[no]recurse\fR.
+.RE
+.PP
 \fB+[no]recurse\fR
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
@@ -518,6 +553,8 @@ Toggle tracing of the delegation path fr
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
 .sp
+If @server is also specified, it affects only the initial query for the root zone name servers.
+.sp
 \fB+dnssec\fR
 is also set when +trace is set to better emulate the default queries from a nameserver.
 .RE
@@ -620,7 +657,7 @@ RFC1035.
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011, 2013\-2015 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br

Modified: stable/9/contrib/bind9/bin/dig/dig.c
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dig.c	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/dig/dig.c	Sat Oct  3 09:33:29 2015	(r288577)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -165,71 +165,75 @@ help(void) {
 "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
 "                 (Use ixfr=version for type ixfr)\n"
 "        q-opt    is one of:\n"
-"                 -x dot-notation     (shortcut for reverse lookups)\n"
-"                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
-"                 -f filename         (batch mode)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
 "                 -b address[#port]   (bind to source address/port)\n"
+"                 -c class            (specify query class)\n"
+"                 -f filename         (batch mode)\n"
+"                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
+"                 -k keyfile          (specify tsig key file)\n"
+"                 -m                  (enable memory usage debugging)\n"
 "                 -p port             (specify port number)\n"
 "                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
-"                 -c class            (specify query class)\n"
-"                 -k keyfile          (specify tsig key file)\n"
+"                 -x dot-notation     (shortcut for reverse lookups)\n"
 "                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"                 -m                  (enable memory usage debugging)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
-"                 +[no]vc             (TCP mode)\n"
-"                 +[no]tcp            (TCP mode, alternate syntax)\n"
-"                 +time=###           (Set query timeout) [5]\n"
-"                 +tries=###          (Set number of UDP attempts) [3]\n"
-"                 +retry=###          (Set number of UDP retries) [2]\n"
-"                 +domain=###         (Set default domainname)\n"
-"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
-"                 +ndots=###          (Set NDOTS value)\n"
-"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
-"                 +[no]search         (Set whether to use searchlist)\n"
-"                 +[no]showsearch     (Search with intermediate results)\n"
-"                 +[no]defname        (Ditto)\n"
-"                 +[no]recurse        (Recursive mode)\n"
-"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
-"\n"
-"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
-"                 +[no]besteffort     (Try to parse even illegal messages)\n"
 "                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
-"                 +[no]adflag         (Set AD flag in query)\n"
-"                 +[no]cdflag         (Set CD flag in query)\n"
+"                 +[no]additional     (Control display of additional section)\n"
+"                 +[no]adflag         (Set AD flag in query (default on))\n"
+"                 +[no]all            (Set or clear all display flags)\n"
+"                 +[no]answer         (Control display of answer section)\n"
+"                 +[no]authority      (Control display of authority section)\n"
+"                 +[no]besteffort     (Try to parse even illegal messages)\n"
+"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
+"                 +[no]cdflag         (Set checking disabled flag in query)\n"
 "                 +[no]cl             (Control display of class in records)\n"
 "                 +[no]cmd            (Control display of command line)\n"
 "                 +[no]comments       (Control display of comment lines)\n"
+"                 +[no]defname        (Use search list (+[no]search))\n"
+"                 +[no]dnssec         (Request DNSSEC records)\n"
+"                 +domain=###         (Set default domainname)\n"
+"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
+"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
+"                 +[no]identify       (ID responders in short answers)\n"
+"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
+"\n"
+"                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
+"                 +[no]multiline      (Print records in an expanded format)\n"
+"                 +ndots=###          (Set search NDOTS value)\n"
+"                 +[no]nsid           (Request Name Server ID)\n"
+"                 +[no]nssearch       (Search all authoritative nameservers)\n"
+"                 +[no]onesoa         (AXFR prints only one soa record)\n"
+"                 +[no]qr             (Print question before sending)\n"
+"                 +[no]question       (Control display of question section)\n"
+"                 +[no]recurse        (Recursive mode)\n"
+"                 +retry=###          (Set number of UDP retries) [2]\n"
 "                 +[no]rrcomments     (Control display of per-record "
 				       "comments)\n"
-"                 +[no]question       (Control display of question)\n"
-"                 +[no]answer         (Control display of answer)\n"
-"                 +[no]authority      (Control display of authority)\n"
-"                 +[no]additional     (Control display of additional)\n"
-"                 +[no]stats          (Control display of statistics)\n"
-"                 +[no]short          (Disable everything except short\n"
+"                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]short          (Display nothing except short\n"
 "                                      form of answer)\n"
-"                 +[no]ttlid          (Control display of ttls in records)\n"
-"                 +[no]all            (Set or clear all display flags)\n"
-"                 +[no]qr             (Print question before sending)\n"
-"                 +[no]nssearch       (Search all authoritative nameservers)\n"
-"                 +[no]identify       (ID responders in short answers)\n"
-"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
-"                 +[no]dnssec         (Request DNSSEC records)\n"
-"                 +[no]nsid           (Request Name Server ID)\n"
+"                 +[no]showsearch     (Search with intermediate results)\n"
 #ifdef DIG_SIGCHASE
 "                 +[no]sigchase       (Chase DNSSEC signatures)\n"
-"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
+#endif
+"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
+"                 +[no]stats          (Control display of statistics)\n"
+"                 +[no]tcp            (TCP mode (+[no]vc))\n"
+"                 +time=###           (Set query timeout) [5]\n"
+#ifdef DIG_SIGCHASE
 #if DIG_SIGCHASE_TD
 "                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
 #endif
 #endif
-"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
-"                 +[no]multiline      (Print records in an expanded format)\n"
-"                 +[no]onesoa         (AXFR prints only one soa record)\n"
-"                 +[no]keepopen       (Keep the TCP socket open between queries)\n"
+"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
+"                 +tries=###          (Set number of UDP attempts) [3]\n"
+#ifdef DIG_SIGCHASE
+"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
+#endif
+"                 +[no]ttlid          (Control display of ttls in records)\n"
+"                 +[no]vc             (TCP mode (+[no]tcp))\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
 "        local d-opts and servers (after host name) affect only that lookup.\n"
 "        -h                           (print help and exit)\n"
@@ -306,6 +310,7 @@ say_message(dns_rdata_t *rdata, dig_quer
 	isc_result_t result;
 	isc_uint64_t diff;
 	char store[sizeof("12345678901234567890")];
+	unsigned int styleflags = 0;
 
 	if (query->lookup->trace || query->lookup->ns_search_only) {
 		result = dns_rdatatype_totext(rdata->type, buf);
@@ -313,7 +318,11 @@ say_message(dns_rdata_t *rdata, dig_quer
 			return (result);
 		ADD_STRING(buf, " ");
 	}
-	result = dns_rdata_totext(rdata, NULL, buf);
+
+	if (rrcomments)
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0,
+				     splitwidth, " ", buf);
 	if (result == ISC_R_NOSPACE)
 		return (result);
 	check_result(result, "dns_rdata_totext");
@@ -831,8 +840,9 @@ plus_option(char *option, isc_boolean_t 
 				goto invalid_option;
 			}
 			break;
-		case 'l': /* cl */
-			FULLCHECK("cl");
+		case 'l': /* class */
+			/* keep +cl for backwards compatibility */
+			FULLCHECK2("cl", "class");
 			noclass = ISC_TF(!state);
 			break;
 		case 'm': /* cmd */
@@ -984,6 +994,10 @@ plus_option(char *option, isc_boolean_t 
 		break;
 	case 'r':
 		switch (cmd[1]) {
+		case 'd': /* rdflag */
+			FULLCHECK("rdflag");
+			lookup->recurse = state;
+			break;
 		case 'e':
 			switch (cmd[2]) {
 			case 'c': /* recurse */

Modified: stable/9/contrib/bind9/bin/dig/dig.docbook
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dig.docbook	Sat Oct  3 09:22:21 2015	(r288576)
+++ stable/9/contrib/bind9/bin/dig/dig.docbook	Sat Oct  3 09:33:29 2015	(r288577)
@@ -2,7 +2,7 @@
 	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "—">]>
 <!--
- - Copyright (C) 2004-2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -47,6 +47,7 @@
       <year>2011</year>
       <year>2013</year>
       <year>2014</year>
+      <year>2015</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -216,127 +217,204 @@
   <refsect1>
     <title>OPTIONS</title>
 
-    <para>
-      The <option>-b</option> option sets the source IP address of the query
-      to <parameter>address</parameter>.  This must be a valid
-      address on
-      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
-      port
-      may be specified by appending "#<port>"
-    </para>
-
-    <para>
-      The default query class (IN for internet) is overridden by the
-      <option>-c</option> option.  <parameter>class</parameter> is
-      any valid
-      class, such as HS for Hesiod records or CH for Chaosnet records.
-    </para>
-
-    <para>
-      The <option>-f</option> option makes <command>dig </command>
-      operate
-      in batch mode by reading a list of lookup requests to process from the
-      file <parameter>filename</parameter>.  The file contains a
-      number of
-      queries, one per line.  Each entry in the file should be organized in
-      the same way they would be presented as queries to
-      <command>dig</command> using the command-line interface.
-    </para>
-
-    <para>
-      The <option>-m</option> option enables memory usage debugging.
-      <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD
-	   documented in include/isc/mem.h -->
-    </para>
-
-    <para>
-      If a non-standard port number is to be queried, the
-      <option>-p</option> option is used.  <parameter>port#</parameter> is
-      the port number that <command>dig</command> will send its
-      queries
-      instead of the standard DNS port number 53.  This option would be used
-      to test a name server that has been configured to listen for queries
-      on a non-standard port number.
-    </para>
-
-    <para>
-      The <option>-4</option> option forces <command>dig</command>
-      to only
-      use IPv4 query transport.  The <option>-6</option> option forces
-      <command>dig</command> to only use IPv6 query transport.
-    </para>
-
-    <para>
-      The <option>-t</option> option sets the query type to
-      <parameter>type</parameter>.  It can be any valid query type
-      which is
-      supported in BIND 9.  The default query type is "A", unless the
-      <option>-x</option> option is supplied to indicate a reverse lookup.
-      A zone transfer can be requested by specifying a type of AXFR.  When
-      an incremental zone transfer (IXFR) is required,
-      <parameter>type</parameter> is set to <literal>ixfr=N</literal>.
-      The incremental zone transfer will contain the changes made to the zone

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-stable-9 mailing list