Commits

Anonymous committed 789b621 Merge with conflicts

Merge commit 'origin/master'

Conflicts:

doc/arm/Bv9ARM.pdf
lib/isc/unix/socket.c

Comments (0)

Files changed (72)

-	--- 9.5.0-P1 released ---
-
-2375.   [security]      Fully randomize UDP query ports to improve
+	--- 9.5.1b1 released ---
+
+2385.	[bug]		A condition variable in socket.c could leak in
+			rare error handling [RT #17968].
+
+2384.	[security]	Additional support for query port randomization (change
+			#2375) including performance improvement and port range
+			specification.  [RT #17949, #18098]
+
+2383.	[bug]		named could double queries when they resulted in
+			SERVFAIL due to overkilling EDNS0 failure detection.
+			[RT #18182]
+
+2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
+			to ARM.
+
+2381.	[port]		dlz/mysql: support multiple install layouts for
+			mysql.  <prefix>/include/{,mysql/}mysql.h and
+			<prefix>/lib/{,mysql/}. [RT #18152]
+
+2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
+			proofs which, in turn, caused validation failures
+			for insecure zones immediately below a secure zone
+			the server was authoritative for. [RT #18112] 
+
+2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
+			TLDs and supported RRs with TTLs [RT #17972]
+
+2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
+			[RT #18169]
+
+2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
+
+2376.	[bug]		Change #2144 was not complete.
+
+2375.	[security]	Fully randomize UDP query ports to improve
 			forgery resilience. [RT #17949]
 
+2373.	[bug]		Default values of zone ACLs were re-parsed each time a
+			new zone was configured, causing an overconsumption
+			of memory. [RT #18092]
+
 	--- 9.5.0 released ---
 
-2374.   [bug]           "blackhole" ACLs could cause named to segfault due
+2374.	[bug]		"blackhole" ACLs could cause named to segfault due
 			to some uninitialized memory. [RT #18095]
 
-2372.   [bug]           fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
-
-2371.   [doc]           add +nsid option to dig man page. [RT #18039]
-
-2370.   [bug]           "rndc freeze" could trigger an assertion in named
-                        when called on a nonexistent zone. [RT #18050]
+2372.	[bug]		fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
+
+2371.	[doc]		add +nsid option to dig man page. [RT #18039]
+
+2370.	[bug]		"rndc freeze" could trigger an assertion in named
+			when called on a nonexistent zone. [RT #18050]
 
 	--- 9.5.0rc1 released ---
 
-2368.   [port]          Linux: use libcap for capability management if
-                        possible. [RT# 18026]
-
-2367.   [bug]           Improve counting of dns_resstatscounter_retry
-                        [RT #18030]
+2368.	[port]		Linux: use libcap for capability management if
+			possible. [RT# 18026]
+
+2367.	[bug]		Improve counting of dns_resstatscounter_retry
+			[RT #18030]
 
 2366.	[bug]		Adb shutdown race. [RT #18021]
 
-2365.   [bug]           Fix a bug that caused dns_acl_isany() to return
-                        spurious results. [RT #18000]
+2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
+			spurious results. [RT #18000]
 
 2364.	[bug]		named could trigger a assertion when serving a
 			malformed signed zone. [RT #17828]
 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
 			[RT #17513]
 
-2362.   [cleanup]       Make "rrset-order fixed" a compile-time option.
-                        settable by "./configure --enable-fixed-rrset".
-                        Disabled by default. [RT #17977]
+2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
+			settable by "./configure --enable-fixed-rrset".
+			Disabled by default. [RT #17977]
 
 2361.	[bug]		"recursion" statistics counter could be counted
 			multiple times for a single query.  [RT #17990]
 
 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
 
-2335.	[port]		sunos:  libbind and *printf() support for long long. 
+2335.	[port]		sunos:  libbind and *printf() support for long long.
 			[RT #17513]
 
 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
 			bug in fromstruct_txt(). [RT #17609]
-			
+
 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
 			[RT #17608]
 
 
 2331.	[bug]		Failure to regenerate any signatures was not being
 			reported nor being past back to the UPDATE client.
-		 	[RT #17570]
+			[RT #17570]
 
 2330.	[bug]		Remove potential race condition when handling
 			over memory events. [RT #17572]
 2320.	[func]		Make statistics counters thread-safe for platforms
 			that support certain atomic operations. [RT #17466]
 
-2319.	[bug]		Silence Coverity warnings in 
+2319.	[bug]		Silence Coverity warnings in
 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
 
 2318.	[port]		sunos fixes for libbind.  [RT #17514]
 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
 			[RT #17513]
 
-2315.   [bug]           Used incorrect address family for mapped IPv4
-                        addresses in acl.c. [RT #17519]
+2315.	[bug]		Used incorrect address family for mapped IPv4
+			addresses in acl.c. [RT #17519]
 
 2314.	[bug]		Uninitialized memory use on error path in
 			bin/named/lwdnoop.c.  [RT #17476]
 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
 			[RT #17458]
 
-2311.   [bug]           IPv6 addresses could match IPv4 ACL entries and
-                        vice versa. [RT #17462]
+2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
+			vice versa. [RT #17462]
 
 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
 			debug/fatal messages.  [RT #17501]
 
-2309.   [cleanup]       Fix Coverity warnings in lib/dns/acl.c and iptable.c.
-                        [RT #17455]
+2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+			[RT #17455]
 
 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
 			[RT #17495]
 2301.	[bug]		Remove resource leak and fix error messages in
 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
 
-2300.	[bug]		Fixed failure to close open file in 
+2300.	[bug]		Fixed failure to close open file in
 			bin/tests/names/t_names.c. [RT #17473]
 
 2299.	[bug]		Remove unnecessary NULL check in
 2292.	[bug]		Log if the working directory is not writable.
 			[RT #17312]
 
-2291.   [bug]           PR_SET_DUMPABLE may be set too late.  Also report
+2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
 			failure to set PR_SET_DUMPABLE. [RT #17312]
 
 2290.	[bug]		Let AD in the query signal that the client wants AD
 2280.	[func]		Allow the experimental http server to be reached
 			over IPv6 as well as IPv4. [RT #17332]
 
-2279.   [bug]           Use setsockopt(SO_NOSIGPIPE), when available,
+2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
 			to protect applications from receiving spurious
 			SIGPIPE signals when using the resolver.
 
 
 	--- 9.5.0b1 released ---
 
-2267.   [bug]           Radix tree node_num value could be set incorrectly,
-                        causing positive ACL matches to look like negative
-                        ones.  [RT #17311]
+2267.	[bug]		Radix tree node_num value could be set incorrectly,
+			causing positive ACL matches to look like negative
+			ones.  [RT #17311]
 
 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
 			once the pool of mctx's was filled. [RT #17218]
 2262.	[bug]		Error status from all but the last view could be
 			lost. [RT #17292]
 
-2261.   [bug]           Fix memory leak with "any" and "none" ACLs [RT #17272]
+2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
 
 2260.	[bug]		Reported wrong clients-per-query when increasing the
-                        value. [RT #17236]
+			value. [RT #17236]
 
 2259.	[placeholder]
 
 			intermediate values as timer->idle was reset by
 			isc_timer_touch(). [RT #17243]
 
-2253.	[func]	 	"max-cache-size" defaults to 32M.
+2253.	[func]		"max-cache-size" defaults to 32M.
 			"max-acache-size" defaults to 16M.
 
-2252.   [bug]           Fixed errors in sortlist code [RT #17216]
+2252.	[bug]		Fixed errors in sortlist code [RT #17216]
 
 2251.	[placeholder]
 
 			memory statistics file should be written or not.
 			Additionally named's -m option will cause the
 			statistics file to be written. [RT #17113]
-			
-2249.   [bug]           Only set Authentic Data bit if client requested
-                        DNSSEC, per RFC 3655 [RT #17175]
-
-2248.   [cleanup]       Fix several errors reported by Coverity. [RT #17160]
+
+2249.	[bug]		Only set Authentic Data bit if client requested
+			DNSSEC, per RFC 3655 [RT #17175]
+
+2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
 
 2247.	[doc]		Sort doc/misc/options. [RT #17067]
 
 
 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
 
-2234.   [port]          Correct some compiler warnings on SCO OSr5 [RT #17134]
-  
-2233.   [func]          Add support for O(1) ACL processing, based on
-                        radix tree code originally written by Kevin
-                        Brintnall. [RT #16288]
+2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
+
+2233.	[func]		Add support for O(1) ACL processing, based on
+			radix tree code originally written by Kevin
+			Brintnall. [RT #16288]
 
 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
 			ISC_R_SUCCESS. [RT #17137]
 2226.	[placeholder]
 
 2225.	[bug]		More support for systems with no IPv4 addresses.
-		        [RT #17111]
+			[RT #17111]
 
 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
 			[RT #17119]
 2223.	[bug]		Make a new journal when compacting. [RT #17119]
 
 2222.	[func]		named-checkconf now checks server key references.
-		        [RT #17097]
+			[RT #17097]
 
 2221.	[bug]		Set the event result code to reflect the actual
 			record turned to caller when a cache update is
 
 2220.	[bug]		win32: Address a race condition in final shutdown of
 			the Windows socket code. [RT #17028]
-			
+
 2219.	[bug]		Apply zone consistency checks to additions, not
 			removals, when updating. [RT #17049]
 
 2217.	[func]		Adjust update log levels. [RT #17092]
 
 2216.	[cleanup]	Fix a number of errors reported by Coverity.
-		        [RT #17094]
+			[RT #17094]
 
 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
 
 			localhost;) is used.
 
 			[RT #16987]
-	
+
 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
 
 2204.	[bug]		"rndc flushanme name unknown-view" caused named
 			allow-query-on, allow-recursion-on and
 			allow-query-cache-on. [RT #16291]
 
-2164.	[bug]		The code to determine how named-checkzone / 
+2164.	[bug]		The code to determine how named-checkzone /
 			named-compilezone was called failed under windows.
 			[RT #16764]
 
 
 2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
 			net_cidr_ntop_ipv6(). [RT #16388]
- 
+
 2094.	[contrib]	Update named-bootconf.  [RT# 16404]
 
 2093.	[bug]		named-checkzone -s was broken.
 
 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
 			if resolv.conf does not exist or no nameservers
-			listed. [RT #15877] 
+			listed. [RT #15877]
 
 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
 
 
 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
 
-1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
+1963.	[port]		Tru64 4.0E doesn't support send() and recv().
 			[RT #15586]
 
 1962.	[bug]		Named failed to clear old update-policy when it
 1951.	[security]	Drop queries from particular well known ports.
 			Don't return FORMERR to queries from particular
 			well known ports.  [RT #15636]
-			
+
 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
 			a TCP socket. This prevents the source address being
 			set for TCP connections. [RT #15628]
 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
 			To generate a RSAMD5 key you must explicitly request
 			RSAMD5. [RT #13780]
-			
+
 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
 			[RT #15522]
 
 			[RT #15034]
 
 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
-			treated as read-only.  The prototype for 
+			treated as read-only.  The prototype for
 			cfg_obj_asstring() has been updated to reflect this.
 			[RT #15256]
 
 1863.	[bug]		rrset-order "fixed" error messages not complete.
 
 1862.	[func]		Add additional zone data constancy checks.
-			named-checkzone has extended checking of NS, MX and 
+			named-checkzone has extended checking of NS, MX and
 			SRV record and the hosts they reference.
 			named has extended post zone load checks.
-			New zone options: check-mx and integrity-check. 
+			New zone options: check-mx and integrity-check.
 			[RT #4940]
 
 1861.	[bug]		dig could trigger a INSIST on certain malformed
 1848.	[bug]		Improve SMF integration. [RT #13238]
 
 1847.	[bug]		isc_ondestroy_init() is called too late in
-			dns_rbtdb_create()/dns_rbtdb64_create(). 
+			dns_rbtdb_create()/dns_rbtdb64_create().
 			[RT #13661]
-			
+
 1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
 			<bortzmeyer@nic.fr>.
 
 			[RT #12866]
 
 1748.	[func]		dig now returns the byte count for axfr/ixfr.
-			
+
 1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
 			to parse "host-statistics-max" in named.conf.
 
 			requested number of worker threads then destruction
 			of the manager would trigger an INSIST() failure.
 			[RT #12790]
-			
+
 1742.	[bug]		Deleting all records at a node then adding a
 			previously existing record, in a single UPDATE
 			transaction, failed to leave / regenerate the
 
 1740.	[bug]		Replace rbt's hash algorithm as it performed badly
 			with certain zones. [RT #12729]
-			
+
 			NOTE: a hash context now needs to be established
 			via isc_hash_create() if the application was not
 			already doing this.
 
 1736.	[bug]		dst_key_fromnamedfile() could fail to read a
 			public key. [RT #12687]
-			
+
 1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
 			[RE #12688]
 
 
 1675.	[bug]		named would sometimes add extra NSEC records to
 			the authority section.
-			
+
 1674.	[port]		linux: increase buffer size used to scan
 			/proc/net/if_inet6.
 
 
 1648.	[func]		Update dnssec-lookaside named.conf syntax to support
 			multiple dnssec-lookaside namespaces (not yet
-			implemented).  
+			implemented).
 
 1647.	[bug]		It was possible trigger a INSIST when chasing a DS
 			record that required walking back over a empty node.
 
 1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
 			failure if the journal open failed. [RT #11347]
-			
+
 1637.	[bug]		Node reference leak on error in addnoqname().
 
 1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
 1607.	[bug]		dig, host and nslookup were still using random()
 			to generate query ids. [RT# 11013]
 
-1606.	[bug]	 	DLV insecurity proof was failing.
+1606.	[bug]		DLV insecurity proof was failing.
 
 1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 
 1604.	[bug]		A xfrout_ctx_create() failure would result in
 			xfrout_ctx_destroy() being called with a
 			partially initialized structure.
-			
+
 1603.	[bug]		nsupdate: set interactive based on isatty().
 			[RT# 10929]
 
 1602.	[bug]		Logging to a file failed unless a size was specified.
 			[RT# 10925]
 
-1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
+1601.	[bug]		Silence spurious warning 'both "recursion no;" and
 			"allow-recursion" active' warning from view "_bind".
 			[RT# 10920]
 
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.30.26.3 2008/02/25 05:08:10 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.30.26.4 2008/06/04 02:51:13 tbox Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
 	  requests are coming from a Windows 2000 machine, see
 	  <ulink
 	   url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
-	    http://support.microsoft.com/support/kb/articles/q246/8/04.asp
-	  </ulink>
+  &lt;http://support.microsoft.com/support/kb/articles/q246/8/04.asp&gt;</ulink>
 	  for information about how to turn them off.
 	</para>
       </answer>
 	  usage rules and are leaking queries to the Internet.  You
 	  should establish your own zones for these addresses to prevent
 	  you querying the Internet's name servers for these addresses.
-	  Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
+	  Please see <ulink url="http://as112.net/">&lt;http://as112.net/&gt;</ulink>
 	  for details of the problems you are causing and the counter
 	  measures that have had to be deployed.
 	</para>
 	</para>
 	<para>
 	  See:
-	  <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2</ulink>
+	  <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">&lt;http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2&gt;</ulink>
+	</para>
+      </answer>
+    </qandaentry>
+
+    <qandaentry>
+      <question>
+	<para>
+	  Why does named lock up when it attempts to connect over IPSEC tunnels?
+	</para>
+      </question>
+      <answer>
+	<para>
+	  This is due to a kernel bug where the fact that a socket is marked
+	  non-blocking is ignored.  It is reported that setting
+	  xfrm_larval_drop to 1 helps but this may have negative side effects.
+	  See:
+<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629">&lt;https://bugzilla.redhat.com/show_bug.cgi?id=427629&gt;</ulink>
+	  and
+<ulink url="http://lkml.org/lkml/2007/12/4/260">&lt;http://lkml.org/lkml/2007/12/4/260&gt;</ulink>.
+	</para>
+	<para>
+	xfrm_larval_drop can be set to 1 by the following procedure:
+<programlisting>
+echo "1" &gt; proc/sys/net/core/xfrm_larval_drop</programlisting>
 	</para>
       </answer>
     </qandaentry>
 
 	<para>
 	   Red Hat have adopted the National Security Agency's
-	   SELinux security policy ( see http://www.nsa.gov/selinux
-	   ) and recommendations for BIND security , which are more
+	   SELinux security policy (see <ulink
+   url="http://www.nsa.gov/selinux">&lt;http://www.nsa.gov/selinux&gt;</ulink>)
+	   and recommendations for BIND security , which are more
 	   secure than running named in a chroot and make use of
 	   the bind-chroot environment unnecessary .
 	</para>
 	<para>
 	  See also
 	  <ulink url="http://people.freebsd.org/~dougb/randomness.html">
-	    http://people.freebsd.org/~dougb/randomness.html
-	  </ulink>
+	  &lt;http://people.freebsd.org/~dougb/randomness.html&gt;</ulink>.
 	</para>
       </answer>
     </qandaentry>
 	<para>
 	  <ulink
 	  url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
-	     http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
+	 &lt;http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris&gt;
 	  </ulink>
 	</para>
       </answer>

KNOWN-DEFECTS

-                    Known defects in ISC BIND 9.5.0
-
-Just before the 9.5.0 release of BIND it was determined that some of
-the changes in this release have caused an overuse of memory on systems
-serving very large numbers of zones.
-
-Zone ACLs, including allow-transfer, allow-query, allow-notify,
-allow-update, and allow-update-forwarding, that are defined in the
-"view" or "options" block of named.conf, should be parsed and loaded
-once, and then referenced by the zones that use them; however, they
-are currently parsed and loaded into memory separately by each zone.  On
-systems with hundreds or thousands of zones, this can consume a huge
-amount of memory--especially when the ACLs being copied are also large.
-
-There is a fix for this problem, but it was developed too late in the
-the test/release cycle for inclusion in BIND 9.5.0 as part of the mainline
-source code.  After it has been sufficiently tested, it will be included in
-BIND 9.5.1.
-
-In the meantime, the patch is included below for those who wish to
-experiment with it.  To apply, run: "patch -p0 < KNOWN-DEFECTS;
-make clean; configure; make".
-
-Index: bin/named/server.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v
-retrieving revision 1.495.10.10
-diff -u -r1.495.10.10 server.c
---- bin/named/server.c	3 Apr 2008 06:20:33 -0000	1.495.10.10
-+++ bin/named/server.c	21 May 2008 23:46:14 -0000
-@@ -1684,6 +1684,28 @@
- 	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
- 				      &view->sortlist));
- 
-+        /*
-+         * Configure default allow-transfer, allow-notify, allow-update
-+         * and allow-update-forwarding ACLs, if set, so they can be
-+         * inherited by zones.
-+         */
-+	if (view->notifyacl == NULL)
-+		CHECK(configure_view_acl(NULL, ns_g_config,
-+					 "allow-notify", actx,
-+					 ns_g_mctx, &view->notifyacl));
-+	if (view->transferacl == NULL)
-+		CHECK(configure_view_acl(NULL, ns_g_config,
-+					 "allow-transfer", actx,
-+					 ns_g_mctx, &view->transferacl));
-+	if (view->updateacl == NULL)
-+		CHECK(configure_view_acl(NULL, ns_g_config,
-+					 "allow-update", actx,
-+					 ns_g_mctx, &view->updateacl));
-+	if (view->upfwdacl == NULL)
-+		CHECK(configure_view_acl(NULL, ns_g_config,
-+					 "allow-update-forwarding", actx,
-+					 ns_g_mctx, &view->upfwdacl));
-+
- 	obj = NULL;
- 	result = ns_config_get(maps, "request-ixfr", &obj);
- 	INSIST(result == ISC_R_SUCCESS);
-Index: bin/named/zoneconf.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/named/zoneconf.c,v
-retrieving revision 1.139.56.3
-diff -u -r1.139.56.3 zoneconf.c
---- bin/named/zoneconf.c	21 May 2008 23:26:11 -0000	1.139.56.3
-+++ bin/named/zoneconf.c	21 May 2008 23:46:15 -0000
-@@ -45,6 +45,15 @@
- #include <named/server.h>
- #include <named/zoneconf.h>
- 
-+/* ACLs associated with zone */
-+typedef enum {
-+	allow_notify,
-+	allow_query,
-+	allow_transfer,
-+	allow_update,
-+	allow_update_forwarding
-+} acl_type_t;
-+
- /*%
-  * These are BIND9 server defaults, not necessarily identical to the
-  * library defaults defined in zone.c.
-@@ -60,19 +69,69 @@
-  */
- static isc_result_t
- configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
--		   const cfg_obj_t *config, const char *aclname,
-+		   const cfg_obj_t *config, acl_type_t acltype,
- 		   cfg_aclconfctx_t *actx, dns_zone_t *zone,
- 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
- 		   void (*clearzacl)(dns_zone_t *))
- {
- 	isc_result_t result;
--	const cfg_obj_t *maps[5];
-+	const cfg_obj_t *maps[5] = {NULL, NULL, NULL, NULL, NULL};
- 	const cfg_obj_t *aclobj = NULL;
- 	int i = 0;
--	dns_acl_t *dacl = NULL;
-+	dns_acl_t **aclp = NULL, *acl = NULL;
-+	const char *aclname;
-+        dns_view_t *view;
-+
-+        view = dns_zone_getview(zone);
-+
-+	switch (acltype) {
-+	    case allow_notify:
-+                if (view != NULL)
-+                        aclp = &view->notifyacl;
-+		aclname = "allow-notify";
-+		break;
-+	    case allow_query:
-+                if (view != NULL)
-+                        aclp = &view->queryacl;
-+		aclname = "allow-query";
-+		break;
-+	    case allow_transfer:
-+                if (view != NULL)
-+                        aclp = &view->transferacl;
-+		aclname = "allow-transfer";
-+		break;
-+	    case allow_update:
-+                if (view != NULL)
-+                        aclp = &view->updateacl;
-+		aclname = "allow-update";
-+		break;
-+	    case allow_update_forwarding:
-+                if (view != NULL)
-+                        aclp = &view->upfwdacl;
-+		aclname = "allow-update-forwarding";
-+		break;
-+            default:
-+                INSIST(0);
-+                return (ISC_R_FAILURE);
-+	}
- 
--	if (zconfig != NULL)
--		maps[i++] = cfg_tuple_get(zconfig, "options");
-+	/* First check to see if ACL is defined within the zone */
-+	if (zconfig != NULL) {
-+		maps[0] = cfg_tuple_get(zconfig, "options");
-+		ns_config_get(maps, aclname, &aclobj);
-+		if (aclobj != NULL) {
-+			aclp = NULL;
-+			goto parse_acl;
-+		}
-+	}
-+
-+	/* Failing that, see if there's a default ACL already in the view */
-+	if (aclp != NULL && *aclp != NULL) {
-+		(*setzacl)(zone, *aclp);
-+		return (ISC_R_SUCCESS);
-+	}
-+
-+	/* Check for default ACLs that haven't been parsed yet */
- 	if (vconfig != NULL)
- 		maps[i++] = cfg_tuple_get(vconfig, "options");
- 	if (config != NULL) {
-@@ -90,12 +149,18 @@
- 		return (ISC_R_SUCCESS);
- 	}
- 
-+parse_acl:
- 	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx,
--				    dns_zone_getmctx(zone), 0, &dacl);
-+				    dns_zone_getmctx(zone), 0, &acl);
- 	if (result != ISC_R_SUCCESS)
- 		return (result);
--	(*setzacl)(zone, dacl);
--	dns_acl_detach(&dacl);
-+	(*setzacl)(zone, acl);
-+
-+        /* Set the view default now */
-+	if (aclp != NULL)
-+		dns_acl_attach(acl, aclp);
-+
-+	dns_acl_detach(&acl);
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -454,14 +519,14 @@
- 
- 	if (ztype == dns_zone_slave)
- 		RETERR(configure_zone_acl(zconfig, vconfig, config,
--					  "allow-notify", ac, zone,
-+					  allow_notify, ac, zone,
- 					  dns_zone_setnotifyacl,
- 					  dns_zone_clearnotifyacl));
- 	/*
- 	 * XXXAG This probably does not make sense for stubs.
- 	 */
- 	RETERR(configure_zone_acl(zconfig, vconfig, config,
--				  "allow-query", ac, zone,
-+				  allow_query, ac, zone,
- 				  dns_zone_setqueryacl,
- 				  dns_zone_clearqueryacl));
- 
-@@ -564,7 +629,7 @@
- 		dns_zone_setisself(zone, ns_client_isself, NULL);
- 
- 		RETERR(configure_zone_acl(zconfig, vconfig, config,
--					  "allow-transfer", ac, zone,
-+					  allow_transfer, ac, zone,
- 					  dns_zone_setxfracl,
- 					  dns_zone_clearxfracl));
- 
-@@ -655,7 +720,7 @@
- 	if (ztype == dns_zone_master) {
- 		dns_acl_t *updateacl;
- 		RETERR(configure_zone_acl(zconfig, vconfig, config,
--					  "allow-update", ac, zone,
-+					  allow_update, ac, zone,
- 					  dns_zone_setupdateacl,
- 					  dns_zone_clearupdateacl));
- 
-@@ -754,7 +819,7 @@
- 				   cfg_obj_asboolean(obj));
- 	} else if (ztype == dns_zone_slave) {
- 		RETERR(configure_zone_acl(zconfig, vconfig, config,
--					  "allow-update-forwarding", ac, zone,
-+					  allow_update_forwarding, ac, zone,
- 					  dns_zone_setforwardacl,
- 					  dns_zone_clearforwardacl));
- 	}
-Index: lib/dns/view.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/view.c,v
-retrieving revision 1.143.128.5
-diff -u -r1.143.128.5 view.c
---- lib/dns/view.c	13 May 2008 23:46:31 -0000	1.143.128.5
-+++ lib/dns/view.c	21 May 2008 23:46:19 -0000
-@@ -172,6 +172,10 @@
- 	view->recursionacl = NULL;
- 	view->recursiononacl = NULL;
- 	view->sortlist = NULL;
-+	view->transferacl = NULL;
-+	view->notifyacl = NULL;
-+	view->updateacl = NULL;
-+	view->upfwdacl = NULL;
- 	view->requestixfr = ISC_TRUE;
- 	view->provideixfr = ISC_TRUE;
- 	view->maxcachettl = 7 * 24 * 3600;
-@@ -299,6 +303,14 @@
- 		dns_acl_detach(&view->recursiononacl);
- 	if (view->sortlist != NULL)
- 		dns_acl_detach(&view->sortlist);
-+	if (view->transferacl != NULL)
-+		dns_acl_detach(&view->transferacl);
-+	if (view->notifyacl != NULL)
-+		dns_acl_detach(&view->notifyacl);
-+	if (view->updateacl != NULL)
-+		dns_acl_detach(&view->updateacl);
-+	if (view->upfwdacl != NULL)
-+		dns_acl_detach(&view->upfwdacl);
- 	if (view->delonly != NULL) {
- 		dns_name_t *name;
- 		int i;
-Index: lib/dns/include/dns/view.h
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/view.h,v
-retrieving revision 1.107.128.4
-diff -u -r1.107.128.4 view.h
---- lib/dns/include/dns/view.h	3 Apr 2008 06:20:34 -0000	1.107.128.4
-+++ lib/dns/include/dns/view.h	21 May 2008 23:46:21 -0000
-@@ -123,6 +123,10 @@
- 	dns_acl_t *			recursionacl;
- 	dns_acl_t *			recursiononacl;
- 	dns_acl_t *			sortlist;
-+	dns_acl_t *			notifyacl;
-+	dns_acl_t *			transferacl;
-+	dns_acl_t *			updateacl;
-+	dns_acl_t *			upfwdacl;
- 	isc_boolean_t			requestixfr;
- 	isc_boolean_t			provideixfr;
- 	isc_boolean_t			requestnsid;
-Index: lib/isccfg/aclconf.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/isccfg/aclconf.c,v
-retrieving revision 1.17
-diff -u -r1.17 aclconf.c
---- lib/isccfg/aclconf.c	21 Dec 2007 06:46:47 -0000	1.17
-+++ lib/isccfg/aclconf.c	21 May 2008 23:46:21 -0000
-@@ -175,6 +175,7 @@
- 	const cfg_listelt_t *elt;
- 	dns_iptable_t *iptab;
- 	int new_nest_level = 0;
-+	int nelem;
- 
- 	if (nest_level != 0)
- 		new_nest_level = nest_level - 1;
-@@ -206,6 +207,8 @@
- 			return (result);
- 	}
- 
-+	nelem = cfg_list_length(caml, ISC_FALSE);
-+
- 	de = dacl->elements;
- 	for (elt = cfg_list_first(caml);
- 	     elt != NULL;
-@@ -350,6 +353,16 @@
- 				if (result != ISC_R_SUCCESS)
- 					goto cleanup;
- 
-+				/*
-+				 * There was only one element and it was
-+				 * a nested named ACL; attach it to the
-+				 * target and let's go home.
-+				 */
-+				if (nelem == 1) {
-+					dns_acl_attach(inneracl, target);
-+					goto cleanup;
-+				}
-+
- 				goto nested_acl;
- 			}
- 		} else {

bin/dnssec/dnssec-signzone.c

 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.204 2007/08/28 07:20:42 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.204.94.2 2008/06/02 23:46:32 tbox Exp $ */
 
 /*! \file */
 
 static isc_task_t *master = NULL;
 static unsigned int ntasks = 0;
 static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
-static unsigned int assigned = 0, completed = 0;
 static isc_boolean_t nokeys = ISC_FALSE;
 static isc_boolean_t removefile = ISC_FALSE;
 static isc_boolean_t generateds = ISC_FALSE;
 			fatal("rdataset iteration failed: %s",
 			      isc_result_totext(result));
 	} else {
-		/* 
+		/*
 		 * Delete RRSIGs for types that no longer exist.
 		 */
 		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2);
 	dns_fixedname_t fixed;
 	dns_name_t *name;
 	isc_result_t result;
-	
+
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
 	result = dns_dbiterator_current(gdbiter, &node, name);
 	dns_rdataset_t nsec;
 	isc_boolean_t found;
 	isc_result_t result;
+	static unsigned int ended = 0;		/* Protected by namelock. */
 
 	if (shuttingdown)
 		return;
 
+	LOCK(&namelock);
 	if (finished) {
-		if (assigned == completed) {
+		ended++;
+		if (ended == ntasks) {
 			isc_task_detach(&task);
 			isc_app_shutdown();
 		}
-		return;
+		goto unlock;
 	}
 
 	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
 	name = dns_fixedname_name(fname);
 	node = NULL;
 	found = ISC_FALSE;
-	LOCK(&namelock);
 	while (!found) {
 		result = dns_dbiterator_current(gdbiter, &node, name);
 		if (result != ISC_R_SUCCESS)
 			fatal("failure iterating database: %s",
 			      isc_result_totext(result));
 	}
-	UNLOCK(&namelock);
 	if (!found) {
-		if (assigned == completed) {
+		ended++;
+		if (ended == ntasks) {
 			isc_task_detach(&task);
 			isc_app_shutdown();
 		}
 		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
-		return;
+		goto unlock;
 	}
 	sevent = (sevent_t *)
 		 isc_event_allocate(mctx, task, SIGNER_EVENT_WORK,
 	sevent->node = node;
 	sevent->fname = fname;
 	isc_task_send(worker, ISC_EVENT_PTR(&sevent));
-	assigned++;
+ unlock:
+	UNLOCK(&namelock);
 }
 
 /*%
 	isc_task_t *worker;
 	sevent_t *sevent = (sevent_t *)event;
 
-	completed++;
 	worker = (isc_task_t *)event->ev_sender;
 	dumpnode(dns_fixedname_name(sevent->fname), sevent->node);
 	cleannode(gdb, gversion, sevent->node);
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 	unsigned char keybuf[DST_KEY_MAXSIZE];
 	unsigned int filenamelen;
-	const dns_master_style_t *style = 
+	const dns_master_style_t *style =
 		(type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
 
 	isc_buffer_init(&namebuf, namestr, sizeof(namestr));
 	printf("Signatures successfully verified:   %10d\n", nverified);
 	printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed);
 	runtime_ms = runtime_us / 1000;
-	printf("Runtime in seconds:                %7u.%03u\n", 
-	       (unsigned int) (runtime_ms / 1000), 
+	printf("Runtime in seconds:                %7u.%03u\n",
+	       (unsigned int) (runtime_ms / 1000),
 	       (unsigned int) (runtime_ms % 1000));
 	if (runtime_us > 0) {
 		sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us;
 		printf("Signatures per second:             %7u.%03u\n",
-		       (unsigned int) sig_ms / 1000, 
+		       (unsigned int) sig_ms / 1000,
 		       (unsigned int) sig_ms % 1000);
 	}
 }
 				fatal("jitter must be numeric and positive");
 			break;
 
-		case 'l': 
+		case 'l':
 			dns_fixedname_init(&dlv_fixed);
 			len = strlen(isc_commandline_argument);
 			isc_buffer_init(&b, isc_commandline_argument, len);
 	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
 					0, 24, 0, 0, 0, 8, mctx);
 	check_result(result, "dns_master_stylecreate");
-					
+
 
 	gdb = NULL;
 	TIME_NOW(&timer_start);
 						       DST_TYPE_PRIVATE,
 						       mctx, &newkey);
 			if (result != ISC_R_SUCCESS)
-				fatal("cannot load dnskey %s: %s", argv[i], 
-				      isc_result_totext(result)); 
+				fatal("cannot load dnskey %s: %s", argv[i],
+				      isc_result_totext(result));
 
 			key = ISC_LIST_HEAD(keylist);
 			while (key != NULL) {
 				if (dst_key_id(dkey) == dst_key_id(newkey) &&
 				    dst_key_alg(dkey) == dst_key_alg(newkey) &&
 				    dns_name_equal(dst_key_name(dkey),
-					    	   dst_key_name(newkey)))
+						   dst_key_name(newkey)))
 				{
 					if (!dst_key_isprivate(dkey))
 						fatal("cannot sign zone with "
 					       mctx, &newkey);
 		if (result != ISC_R_SUCCESS)
 			fatal("cannot load dnskey %s: %s", dskeyfile[i],
-			      isc_result_totext(result)); 
+			      isc_result_totext(result));
 
 		key = ISC_LIST_HEAD(keylist);
 		while (key != NULL) {
 			if (dst_key_id(dkey) == dst_key_id(newkey) &&
 			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
 			    dns_name_equal(dst_key_name(dkey),
-				    	   dst_key_name(newkey)))
+					   dst_key_name(newkey)))
 			{
 				/* Override key flags. */
 				key->issigningkey = ISC_TRUE;

bin/named/bind9.xsl

  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: bind9.xsl,v 1.13.130.4 2008/04/09 22:49:37 jinmei Exp $ -->
+<!-- $Id: bind9.xsl,v 1.13.130.5 2008/06/24 00:09:10 jinmei Exp $ -->
 
 <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
       </head>
       <body>
         <div class="header">Bind 9 Configuration and Statistics</div>
-
 	<br/>
 
 	<table>

bin/named/bind9.xsl.h

 /*
  * Generated by convertxsl.pl 1.9.60.4 2008/04/03 10:51:01 marka Exp  
- * From bind9.xsl 1.13.130.4 2008/04/09 22:49:37 jinmei Exp 
+ * From bind9.xsl 1.13.130.5 2008/06/24 00:09:10 jinmei Exp 
  */
 static char xslmsg[] =
 	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
 	" - PERFORMANCE OF THIS SOFTWARE.\n"
 	"-->\n"
 	"\n"
-	"<!-- \045Id: bind9.xsl,v 1.13.130.4 2008/04/09 22:49:37 jinmei Exp \045 -->\n"
+	"<!-- \045Id: bind9.xsl,v 1.13.130.5 2008/06/24 00:09:10 jinmei Exp \045 -->\n"
 	"\n"
 	"<xsl:stylesheet version=\"1.0\"\n"
 	" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
 	" </head>\n"
 	" <body>\n"
 	" <div class=\"header\">Bind 9 Configuration and Statistics</div>\n"
-	"\n"
 	" <br/>\n"
 	"\n"
 	" <table>\n"

bin/named/server.c

  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.495.10.11 2008/05/27 22:36:09 each Exp $ */
+/* $Id: server.c,v 1.495.10.15 2008/06/24 00:09:10 jinmei Exp $ */
 
 /*! \file */
 
 #include <isc/httpd.h>
 #include <isc/lex.h>
 #include <isc/parseint.h>
+#include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/resource.h>
 #include <isc/stdio.h>
  */
 static isc_result_t
 get_view_querysource_dispatch(const cfg_obj_t **maps,
-			      int af, dns_dispatch_t **dispatchp)
+			      int af, dns_dispatch_t **dispatchp,
+			      isc_boolean_t is_firstview)
 {
 	isc_result_t result;
 	dns_dispatch_t *disp;
 	isc_sockaddr_t sa;
 	unsigned int attrs, attrmask;
 	const cfg_obj_t *obj = NULL;
+	unsigned int maxdispatchbuffers;
 
 	/*
 	 * Make compiler happy.
 		attrs |= DNS_DISPATCHATTR_IPV6;
 		break;
 	}
-
-	if (isc_sockaddr_getport(&sa) != 0) {
+	if (isc_sockaddr_getport(&sa) == 0) {
+		attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
+		maxdispatchbuffers = 4096;
+	} else {
 		INSIST(obj != NULL);
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
-			    "using specific query-source port suppresses port "
-			    "randomization and can be insecure.");
+		if (is_firstview) {
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
+				    "using specific query-source port "
+				    "suppresses port randomization and can be "
+				    "insecure.");
+		}
+		maxdispatchbuffers = 1000;
 	}
 
 	attrmask = 0;
 	disp = NULL;
 	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
 				     ns_g_taskmgr, &sa, 4096,
-				     1024, 32768, 16411, 16433,
+				     maxdispatchbuffers, 32768, 16411, 16433,
 				     attrs, attrmask, &disp);
 	if (result != ISC_R_SUCCESS) {
 		isc_sockaddr_t any;
 	 *
 	 * XXXRTH  Hardwired number of tasks.
 	 */
-	CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4));
-	CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6));
+	CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
+					    ISC_TF(ISC_LIST_PREV(view, link)
+						   == NULL)));
+	CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
+					    ISC_TF(ISC_LIST_PREV(view, link)
+						   == NULL)));
 	if (dispatch4 == NULL && dispatch6 == NULL) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "unable to obtain neither an IPv4 nor"
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
-
-	obj = NULL;
-	(void)ns_config_get(maps, "use-queryport-pool", &obj);
-	if (obj == NULL || cfg_obj_asboolean(obj)) {
-		isc_sockaddr_t sa;
-		isc_boolean_t logit4 = ISC_FALSE, logit6 = ISC_FALSE;
-
-		resopts |= (DNS_RESOLVER_USEDISPATCHPOOL4 |
-			    DNS_RESOLVER_USEDISPATCHPOOL6);
-
-		/* Check consistency with query-source(-v6) */
-		if (dispatch4 == NULL)
-			resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL4;
-		else {
-			result = dns_dispatch_getlocaladdress(dispatch4, &sa);
-			INSIST(result == ISC_R_SUCCESS);
-			if (isc_sockaddr_getport(&sa) != 0) {
-				logit4 = ISC_TRUE;
-				resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL4;
-			}
-		}
-
-		if (dispatch6 == NULL)
-			resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL6;
-		else {
-			result = dns_dispatch_getlocaladdress(dispatch6, &sa);
-			INSIST(result == ISC_R_SUCCESS);
-			if (isc_sockaddr_getport(&sa) != 0) {
-				logit6 = ISC_TRUE;
-				resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL6;
-			}
-		}
-		if (logit4 && obj != NULL)
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-				    "specific query-source port "
-				    "cannot coexist with queryport-pool. "
-				    "(Pool disabled)");
-		if (logit6 && obj != NULL)
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-				    "specific query-source-v6 port "
-				    "cannot coexist with queryport-pool. "
-				    "(Pool disabled)");
-	}
-
 	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
 				      ns_g_socketmgr, ns_g_timermgr,
 				      resopts, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
 
+	if (resstats == NULL) {
+		CHECK(dns_generalstats_create(mctx, &resstats,
+					      dns_resstatscounter_max));
+	}
+	dns_view_setresstats(view, resstats);
+	if (resquerystats == NULL)
+		CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
+	dns_view_setresquerystats(view, resquerystats);
+
 	/*
 	 * Set the ADB cache size to 1/8th of the max-cache-size.
 	 */
 	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
 				      &view->sortlist));
 
+	/*
+	 * Configure default allow-transfer, allow-notify, allow-update
+	 * and allow-update-forwarding ACLs, if set, so they can be
+	 * inherited by zones.
+	 */
+	if (view->notifyacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-notify", actx,
+					 ns_g_mctx, &view->notifyacl));
+	if (view->transferacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-transfer", actx,
+					 ns_g_mctx, &view->transferacl));
+	if (view->updateacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-update", actx,
+					 ns_g_mctx, &view->updateacl));
+	if (view->upfwdacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-update-forwarding", actx,
+					 ns_g_mctx, &view->upfwdacl));
+
 	obj = NULL;
 	result = ns_config_get(maps, "request-ixfr", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	SETLIMIT("files", openfiles, "open files");
 }
 
-static isc_result_t
-portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
-		  const cfg_obj_t *ports)
+static void
+portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
+		 isc_boolean_t positive)
 {
 	const cfg_listelt_t *element;
-	isc_result_t result = ISC_R_SUCCESS;
 
 	for (element = cfg_list_first(ports);
 	     element != NULL;
 	     element = cfg_list_next(element)) {
 		const cfg_obj_t *obj = cfg_listelt_value(element);
-		in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
-
-		result = dns_portlist_add(portlist, family, port);
-		if (result != ISC_R_SUCCESS)
-			break;
+
+		if (cfg_obj_isuint32(obj)) {
+			in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
+
+			if (positive)
+				isc_portset_add(portset, port);
+			else
+				isc_portset_remove(portset, port);
+		} else {
+			const cfg_obj_t *obj_loport, *obj_hiport;
+			in_port_t loport, hiport;
+
+			obj_loport = cfg_tuple_get(obj, "loport");
+			loport = (in_port_t)cfg_obj_asuint32(obj_loport);
+			obj_hiport = cfg_tuple_get(obj, "hiport");
+			hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
+
+			if (positive)
+				isc_portset_addrange(portset, loport, hiport);
+			else {
+				isc_portset_removerange(portset, loport,
+							hiport);
+			}
+		}
 	}
-	return (result);
 }
 
 static isc_result_t
 	const cfg_obj_t *options;
 	const cfg_obj_t *views;
 	const cfg_obj_t *obj;
-	const cfg_obj_t *v4ports, *v6ports;
+	const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
 	const cfg_obj_t *maps[3];
 	const cfg_obj_t *builtin_views;
 	const cfg_listelt_t *element;
 	isc_uint32_t interface_interval;
 	isc_uint32_t heartbeat_interval;
 	isc_uint32_t udpsize;
-	in_port_t listen_port;
+	in_port_t listen_port, udpport_low, udpport_high;
+	isc_portset_t *v4portset = NULL;
+	isc_portset_t *v6portset = NULL;
 	int i;
 
 	cfg_aclconfctx_init(&aclconfctx);
 	CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx),
 	       "configuring statistics server(s)");
 
-	v4ports = NULL;
-	v6ports = NULL;
-	(void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports);
-	(void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports);
-	if (v4ports != NULL || v6ports != NULL) {
-		dns_portlist_t *portlist = NULL;
-		result = dns_portlist_create(ns_g_mctx, &portlist);
-		if (result == ISC_R_SUCCESS && v4ports != NULL)
-			result = portlist_fromconf(portlist, AF_INET, v4ports);
-		if (result == ISC_R_SUCCESS && v6ports != NULL)
-			portlist_fromconf(portlist, AF_INET6, v6ports);
-		if (result == ISC_R_SUCCESS)
-			dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist);
-		if (portlist != NULL)
-			dns_portlist_detach(&portlist);
-		CHECK(result);
-	} else
-		dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL);
+	/*
+	 * Configure sets of UDP query source ports.
+	 */
+	CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
+	       "creating UDP port set");
+	CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
+	       "creating UDP port set");
+
+	usev4ports = NULL;
+	usev6ports = NULL;
+	avoidv4ports = NULL;
+	avoidv6ports = NULL;
+
+	(void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
+	if (usev4ports != NULL)
+		portset_fromconf(v4portset, usev4ports, ISC_TRUE);
+	else {
+		CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
+					       &udpport_high),
+		       "get the default UDP/IPv4 port range");
+		if (udpport_low == udpport_high)
+			isc_portset_add(v4portset, udpport_low);
+		else {
+			isc_portset_addrange(v4portset, udpport_low,
+					     udpport_high);
+		}
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "using default UDP/IPv4 port range: [%d, %d]",
+			      udpport_low, udpport_high);
+	}
+	(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
+	if (avoidv4ports != NULL)
+		portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
+
+	(void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
+	if (usev6ports != NULL)
+		portset_fromconf(v6portset, usev6ports, ISC_TRUE);
+	else {
+		CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
+					       &udpport_high),
+		       "get the default UDP/IPv6 port range");
+		if (udpport_low == udpport_high)
+			isc_portset_add(v6portset, udpport_low);
+		else {
+			isc_portset_addrange(v6portset, udpport_low,
+					     udpport_high);
+		}
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "using default UDP/IPv6 port range: [%d, %d]",
+			      udpport_low, udpport_high);
+	}
+	(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
+	if (avoidv6ports != NULL)
+		portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
+
+	dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
 
 	/*
 	 * Set the EDNS UDP size when we don't match a view.
 	result = ISC_R_SUCCESS;
 
  cleanup:
+	if (v4portset != NULL)
+		isc_portset_destroy(ns_g_mctx, &v4portset);
+
+	if (v6portset != NULL)
+		isc_portset_destroy(ns_g_mctx, &v6portset);
+
 	cfg_aclconfctx_destroy(&aclconfctx);
 
 	if (parser != NULL) {

bin/named/zoneconf.c

  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.139.56.3 2008/05/21 23:26:11 each Exp $ */
+/* $Id: zoneconf.c,v 1.139.56.5 2008/05/29 23:46:34 tbox Exp $ */
 
 /*% */
 
 #include <named/server.h>
 #include <named/zoneconf.h>
 
+/* ACLs associated with zone */
+typedef enum {
+	allow_notify,
+	allow_query,
+	allow_transfer,
+	allow_update,
+	allow_update_forwarding
+} acl_type_t;
+
 /*%
  * These are BIND9 server defaults, not necessarily identical to the
  * library defaults defined in zone.c.
  */
 static isc_result_t
 configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-		   const cfg_obj_t *config, const char *aclname,
+		   const cfg_obj_t *config, acl_type_t acltype,
 		   cfg_aclconfctx_t *actx, dns_zone_t *zone,
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	const cfg_obj_t *maps[5];
+	const cfg_obj_t *maps[5] = {NULL, NULL, NULL, NULL, NULL};
 	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
-	dns_acl_t *dacl = NULL;
+	dns_acl_t **aclp = NULL, *acl = NULL;
+	const char *aclname;
+	dns_view_t *view;
 
-	if (zconfig != NULL)
-		maps[i++] = cfg_tuple_get(zconfig, "options");
+	view = dns_zone_getview(zone);
+
+	switch (acltype) {
+	    case allow_notify:
+		if (view != NULL)
+			aclp = &view->notifyacl;
+		aclname = "allow-notify";
+		break;
+	    case allow_query:
+		if (view != NULL)
+			aclp = &view->queryacl;
+		aclname = "allow-query";
+		break;
+	    case allow_transfer:
+		if (view != NULL)
+			aclp = &view->transferacl;
+		aclname = "allow-transfer";
+		break;
+	    case allow_update:
+		if (view != NULL)
+			aclp = &view->updateacl;
+		aclname = "allow-update";
+		break;
+	    case allow_update_forwarding:
+		if (view != NULL)
+			aclp = &view->upfwdacl;
+		aclname = "allow-update-forwarding";
+		break;
+	    default:
+		INSIST(0);
+		return (ISC_R_FAILURE);
+	}
+
+	/* First check to see if ACL is defined within the zone */
+	if (zconfig != NULL) {
+		maps[0] = cfg_tuple_get(zconfig, "options");
+		ns_config_get(maps, aclname, &aclobj);
+		if (aclobj != NULL) {
+			aclp = NULL;
+			goto parse_acl;
+		}
+	}
+
+	/* Failing that, see if there's a default ACL already in the view */
+	if (aclp != NULL && *aclp != NULL) {
+		(*setzacl)(zone, *aclp);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for default ACLs that haven't been parsed yet */
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
 		return (ISC_R_SUCCESS);
 	}
 
+parse_acl:
 	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx,
-				    dns_zone_getmctx(zone), 0, &dacl);
+				    dns_zone_getmctx(zone), 0, &acl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	(*setzacl)(zone, dacl);
-	dns_acl_detach(&dacl);
+	(*setzacl)(zone, acl);
+
+	/* Set the view default now */
+	if (aclp != NULL)
+		dns_acl_attach(acl, aclp);
+
+	dns_acl_detach(&acl);
 	return (ISC_R_SUCCESS);
 }
 
 
 	if (ztype == dns_zone_slave)
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-notify", ac, zone,
+					  allow_notify, ac, zone,
 					  dns_zone_setnotifyacl,
 					  dns_zone_clearnotifyacl));
 	/*
 	 * XXXAG This probably does not make sense for stubs.
 	 */
 	RETERR(configure_zone_acl(zconfig, vconfig, config,
-				  "allow-query", ac, zone,
+				  allow_query, ac, zone,
 				  dns_zone_setqueryacl,
 				  dns_zone_clearqueryacl));
 
 		dns_zone_setisself(zone, ns_client_isself, NULL);
 
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-transfer", ac, zone,
+					  allow_transfer, ac, zone,
 					  dns_zone_setxfracl,
 					  dns_zone_clearxfracl));
 
 	if (ztype == dns_zone_master) {
 		dns_acl_t *updateacl;
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update", ac, zone,
+					  allow_update, ac, zone,
 					  dns_zone_setupdateacl,
 					  dns_zone_clearupdateacl));
 
 				   cfg_obj_asboolean(obj));
 	} else if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update-forwarding", ac, zone,
+					  allow_update_forwarding, ac, zone,
 					  dns_zone_setforwardacl,
 					  dns_zone_clearforwardacl));
 	}
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.418.60.8 2008/05/06 01:33:33 each Exp $
+# $Id: configure,v 1.418.60.10 2008/06/24 00:10:49 jinmei Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
 ISC_SOCKADDR_LEN_T
 ISC_PLATFORM_HAVELONGLONG
 ISC_PLATFORM_HAVELIFCONF
+ISC_PLATFORM_HAVEKQUEUE
+ISC_PLATFORM_HAVEEPOLL
+ISC_PLATFORM_HAVEDEVPOLL
 ISC_PLATFORM_NEEDSYSSELECTH
 LWRES_PLATFORM_NEEDSYSSELECTH
 USE_OPENSSL
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
+#
+# check if we have kqueue
+#
+{ echo "$as_me:$LINENO: checking for kqueue" >&5
+echo $ECHO_N "checking for kqueue... $ECHO_C" >&6; }
+if test "${ac_cv_func_kqueue+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define kqueue to an innocuous variant, in case <limits.h> declares kqueue.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define kqueue innocuous_kqueue
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char kqueue (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef kqueue
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char kqueue ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_kqueue || defined __stub___kqueue
+choke me
+#endif
+
+int
+main ()
+{
+return kqueue ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_kqueue=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_kqueue=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_kqueue" >&5
+echo "${ECHO_T}$ac_cv_func_kqueue" >&6; }
+if test $ac_cv_func_kqueue = yes; then
+  ac_cv_have_kqueue=yes
+else
+  ac_cv_have_kqueue=no
+fi
+
+case $ac_cv_have_kqueue in
+yes)
+	ISC_PLATFORM_HAVEKQUEUE="#define ISC_PLATFORM_HAVEKQUEUE 1"
+	;;
+*)
+	ISC_PLATFORM_HAVEKQUEUE="#undef ISC_PLATFORM_HAVEKQUEUE"
+	;;
+esac
+
+
+#
+# check if we have epoll
+#
+{ echo "$as_me:$LINENO: checking for epoll_create" >&5
+echo $ECHO_N "checking for epoll_create... $ECHO_C" >&6; }
+if test "${ac_cv_func_epoll_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define epoll_create to an innocuous variant, in case <limits.h> declares epoll_create.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define epoll_create innocuous_epoll_create
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char epoll_create (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef epoll_create
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char epoll_create ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_epoll_create || defined __stub___epoll_create
+choke me
+#endif
+
+int
+main ()
+{
+return epoll_create ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_epoll_create=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_epoll_create=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_epoll_create" >&5
+echo "${ECHO_T}$ac_cv_func_epoll_create" >&6; }
+if test $ac_cv_func_epoll_create = yes; then
+  ac_cv_have_epoll=yes
+else
+  ac_cv_have_epoll=no
+fi
+
+case $ac_cv_have_epoll in
+yes)
+	ISC_PLATFORM_HAVEEPOLL="#define ISC_PLATFORM_HAVEEPOLL 1"
+	;;
+*)
+	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"
+	;;
+esac
+
+
+#
+# check if we support /dev/poll
+#
+
+for ac_header in sys/devpoll.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_HAVEDEVPOLL="#define ISC_PLATFORM_HAVEDEVPOLL 1"
+
+else
+  ISC_PLATFORM_HAVEDEVPOLL="#undef ISC_PLATFORM_HAVEDEVPOLL"
+
+fi
+
+done
+
+
 
 #
 # check if we need to #include sys/select.h explicitly
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 9594 "configure"' > conftest.$ac_ext
+  echo '#line 9945 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11716: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12067: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11720: \$? = $ac_status" >&5
+   echo "$as_me:12071: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11959: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12310: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11963: \$? = $ac_status" >&5
+   echo "$as_me:12314: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12019: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12370: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12023: \$? = $ac_status" >&5
+   echo "$as_me:12374: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 14167 "configure"
+#line 14518 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 14265 "configure"
+#line 14616 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16458: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16809: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16462: \$? = $ac_status" >&5
+   echo "$as_me:16813: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16518: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16869: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16522: \$? = $ac_status" >&5
+   echo "$as_me:16873: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 17846 "configure"
+#line 18197 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 17944 "configure"
+#line 18295 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18781: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19132: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:18785: \$? = $ac_status" >&5
+   echo "$as_me:19136: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18841: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19192: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:18845: \$? = $ac_status" >&5
+   echo "$as_me:19196: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:20875: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:21226: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:20879: \$? = $ac_status" >&5
+   echo "$as_me:21230: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:21118: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:21469: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:21122: \$? = $ac_status" >&5
+   echo "$as_me:21473: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \